# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /etc/init.d/kexec-load
@{att} = ""
profile initd-kexec-load /etc/init.d/kexec-load flags=(complain) {
  include <abstractions/base-strict>

  @{exec_path} r,
  @{sh_path}        rix,

  @{bin}/{,e}grep   rix,
  @{bin}/cat        rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/cut        rix,
  @{bin}/tail       rix,
  @{bin}/sed        rix,
  @{bin}/head       rix,
  @{bin}/rm         rix,
  @{bin}/readlink   rix,
  @{bin}/tput       rix,

  @{sbin}/kexec     rpx,

  @{bin}/run-parts  rcx -> run-parts,
  @{bin}/systemctl  rcx -> systemctl,

  /no-kexec-reboot rw,

  /etc/default/kexec r,

  @{sys}/kernel/kexec_loaded r,

  owner @{efi}/grub/{grub.cfg,grubenv} r,

  @{PROC}/cmdline r,


  profile run-parts flags=(complain) {
    include <abstractions/base-strict>

    @{bin}/run-parts mr,

    /etc/default/kexec.d/ r,

    include if exists <local/initd-kexec-load_run-parts>
  }

  profile systemctl flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/wutmp>

    capability sys_resource,

    ptrace (read),

    @{bin}/systemctl mr,

    @{bin}/systemd-tty-ask-password-agent rix,

    owner @{PROC}/@{pid}/stat r,
    owner @{PROC}/@{pid}/fd/ r,
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/1/sched r,
          @{PROC}/1/environ r,
          @{PROC}/cmdline r,

    /dev/kmsg w,

    owner @{run}/systemd/ask-password/ rw,
    owner @{run}/systemd/ask-password-block/* rw,

    include if exists <local/initd-kexec-load_systemctl>
  }

  include if exists <local/initd-kexec-load>
}

# vim:syntax=apparmor
