# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/run-parts
profile run-parts /{,usr/}{,s}bin/run-parts flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability mknod,

  @{exec_path} mrix,
  
  @{sh_path}         rix,
  @{bin}/anacron     rix,
  @{bin}/cat         rix,
  @{bin}/date        rix,
  @{bin}/nice        rix,
  @{bin}/snapper     rix,

  /usr/share/update-notifier/notify-reboot-required   rpx,
  /usr/share/update-notifier/notify-updates-outdated  rpx,

  /etc/ r,
  /etc/anacrontab                                      r,
  /etc/conf.d/snapper{,**}                             r,
  /etc/default/*                                       r,
  /etc/snapper/configs/root                            r,

  # Crontab
  /etc/cron.{hourly,daily,weekly,monthly}/                     r,
  /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rix,
  /etc/cron.{hourly,daily,weekly,monthly}/apport               rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/apt-compat           rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs         rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions    rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index     rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/debsums              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/debtags              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/dpkg                rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/etckeeper            rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/exim4-base           rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/logrotate            rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/man-db               rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/mlocate              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/passwd              rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/plocate              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/snapper             rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rpx,
  /etc/cron.{hourly,daily,weekly,monthly}/tor                 rpux,
  /etc/cron.{hourly,daily,weekly,monthly}/vrms                rpux,
  /var/spool/anacron/cron.{hourly,daily,weekly,monthly}       rw,

  # Network
  /etc/network/if-down.d/ r,
  /etc/network/if-down.d/openvpn             rpux,
  /etc/network/if-down.d/resolvconf          rpux,
  /etc/network/if-down.d/wpasupplicant       rpux,

  /etc/hostapd/ifupdown.sh                   rpux,
  /etc/macchanger/ifupdown.sh                rpux,
  /etc/wpa_supplicant/ifupdown.sh            rpux,

  /etc/network/if-post-down.d/ r,
  /etc/network/if-post-down.d/bridge         rpux,
  /etc/network/if-post-down.d/chrony         rpux,
  /etc/network/if-post-down.d/hostapd        rpux,
  /etc/network/if-post-down.d/ifenslave      rpux,
  /etc/network/if-post-down.d/macchanger     rpux,
  /etc/network/if-post-down.d/wireless-tools rpux,
  /etc/network/if-post-down.d/wpasupplicant  rpux,

  /etc/network/if-pre-up.d/ r,
  /etc/network/if-pre-up.d/bridge            rpux,
  /etc/network/if-pre-up.d/ethtool           rpux,
  /etc/network/if-pre-up.d/hostapd           rpux,
  /etc/network/if-pre-up.d/ifenslave         rpux,
  /etc/network/if-pre-up.d/macchanger        rpux,
  /etc/network/if-pre-up.d/random-secret     rpux,
  /etc/network/if-pre-up.d/wireless-tools    rpux,
  /etc/network/if-pre-up.d/wpasupplicant     rpux,

  /etc/network/if-up.d/ r,
  /etc/network/if-up.d/*resolvconf           rpux,
  /etc/network/if-up.d/avahi-autoipd         rpux,
  /etc/network/if-up.d/chrony                rpux,
  /etc/network/if-up.d/ethtool               rpux,
  /etc/network/if-up.d/ifenslave             rpux,
  /etc/network/if-up.d/openvpn               rpux,
  /etc/network/if-up.d/postfix               rpux,
  /etc/network/if-up.d/ubuntu-fan             rpx,
  /etc/network/if-up.d/wpasupplicant         rpux,

  # Motd
  /etc/update-motd.d/ r,
  /etc/update-motd.d/* rcx -> motd,

  # Kernel 
  /etc/kernel/header_postinst.d/ r,
  /etc/kernel/header_postinst.d/dkms          rcx -> kernel,

  /etc/kernel/postinst.d/ r,
  /etc/kernel/postinst.d/apt-auto-removal     rcx -> kernel,
  /etc/kernel/postinst.d/dkms                 rcx -> kernel,
  /etc/kernel/postinst.d/initramfs-tools      rcx -> kernel,
  /etc/kernel/postinst.d/unattended-upgrades  rcx -> kernel,
  /etc/kernel/postinst.d/zz-update-grub       rcx -> kernel,
  /etc/kernel/postinst.d/zz-shim              rcx -> kernel,
  /etc/kernel/postinst.d/xx-update-initrd-links rcx -> kernel,

  /etc/kernel/postrm.d/ r,
  /etc/kernel/postrm.d/initramfs-tools        rcx -> kernel,
  /etc/kernel/postrm.d/zz-update-grub         rcx -> kernel,

  /etc/kernel/preinst.d/ r,
  /etc/kernel/preinst.d/intel-microcode       rcx -> kernel,

  /etc/kernel/prerm.d/ r,
  /etc/kernel/prerm.d/dkms                    rcx -> kernel,

  /usr/share/finalrd/ r,
  /usr/share/finalrd/mdadm.finalrd rpux,
  /usr/share/finalrd/open-iscsi.finalrd rpux,

  /usr/share/landscape/landscape-sysinfo.wrapper rpux,

  /root/ r,

  /var/spool/anacron/cron.daily k,

  owner @{tmp}/#@{int} rw,
  owner @{tmp}/$anacron@{rand6} rw,
  owner @{tmp}/file@{rand6} rw,

  owner @{sys}/class/power_supply/            r,

  /dev/tty@{int} rw,

  profile motd flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    @{sh_path}        rix,
    @{bin}/{e,}grep   rix,
    @{bin}/cat        rix,
    @{bin}/cut        rix,
    @{bin}/find       rix,
    @{bin}/head       rix,
    @{bin}/id         rix,
    @{bin}/sort       rix,
    @{bin}/tr         rix,
    @{bin}/uname      rix,
  
    @{bin}/snap                                                   rpux,
    @{lib}/ubuntu-release-upgrader/release-upgrade-motd            rpx,
    @{lib}/update-notifier/update-motd-fsck-at-reboot              rpx,
    @{lib}/update-notifier/update-motd-reboot-required             rix,
    /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
    /usr/share/update-notifier/notify-updates-outdated             rpx,

    / r,
    /etc/default/motd-news r,
    /etc/lsb-release r,
    /etc/update-motd.d/* r,

    /var/cache/motd-news rw,
    /var/lib/update-notifier/updates-available r,
    /var/lib/ubuntu-advantage/messages/motd-esm-announce r,

    @{run}/motd.d/{,*} r,

    @{PROC}/@{pids}/mounts r,

    /dev/tty@{int} rw,
  }

  profile kernel flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    capability sys_module,

    @{sh_path}        rix,
    @{bin}/{,e}grep   rix,
    @{bin}/{,m,g}awk  rix,
    @{bin}/cat        rix,
    @{bin}/chmod      rix,
    @{bin}/cut        rix,
    @{bin}/dirname    rix,
    @{bin}/kmod       rix,
    @{bin}/mv         rix,
    @{bin}/rm         rix,
    @{bin}/rmdir      rix,
    @{bin}/sed        rix,
    @{bin}/sort       rix,
    @{bin}/touch      rix,
    @{bin}/tr         rix,
    @{bin}/uname      rix,
    @{bin}/which{,.debianutils}      rix,

    @{bin}/apt-config               rpx,
    @{bin}/dkms                     rpx,
    @{bin}/dpkg                     rpx -> child-dpkg,
    @{bin}/systemd-detect-virt      rpx,
    @{bin}/update-alternatives      rpx,
    @{bin}/update-grub             rpux,
    @{bin}/update-initramfs         rpx,
    @{lib}/dkms/dkms_autoinstaller  rpx,

    @{lib}/modules/*/updates/ w,
    @{lib}/modules/*/updates/dkms/ w,

    /etc/kernel/header_postinst.d/* r,
    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,

    # For shell pwd
    / r,
    /boot/ r,
  
    /etc/apt/apt.conf.d/ r,
    /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

    @{run}/reboot-required w,
    @{run}/reboot-required.pkgs rw,

    @{PROC}/devices r,
    @{PROC}/cmdline r,

  }

  include if exists <local/run-parts>
}

# vim:syntax=apparmor
