# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/**
@{att} = ""
profile initramfs-hooks /{usr/share/initramfs-tools/hooks/**,etc/initramfs-tools/hooks/**} flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>

  capability sys_admin, # optional: no audit

  @{exec_path} mr,

  @{sh_path}                               rix,
  @{coreutils_path}                        rix,
  @{bin}/{,3}cpio                           ix,
  @{bin}/dpkg                               px,
  @{bin}/fc-cache                           ix,
  @{bin}/ischroot                           px,
  @{ldd_path}                               cx -> ldd,
  @{bin}/plymouth                           px,
  @{bin}/update-alternatives                px,
  @{lib}/dracut/dracut-install              px,
  @{lib}/initramfs-tools/bin/busybox        ix,
  @{lib}/klibc/bin/fstype                   ix,
  @{sbin}/blkid                             px,
  @{sbin}/cryptsetup                        pux,
  @{sbin}/dmsetup                           px,
  @{sbin}/iucode_tool                       ix,
  /usr/share/mdadm/mkconf                   px,

  @{bin}/* mr,
  @{sbin}/* mr,
  @{lib}/ r,
  @{lib}/** mr,

  /usr/share/*/ r,
  /usr/share/*/initramfs/{,**} r,
  /usr/share/initramfs-tools/{,**} r,
  /usr/share/plymouth/{,**} r,

  /etc/console-setup/{,**} r,
  /etc/cryptsetup-initramfs/{,**} r,
  /etc/crypttab r,
  /etc/default/* r,
  /etc/fstab r,
  /etc/iscsi/*.iscsi r,
  /etc/kdump/sysctl.conf r,
  /etc/lvm/{,**} r,
  /etc/mdadm/mdadm.conf r,
  /etc/plymouth/plymouthd.conf r,
  /etc/systemd/network/{,**} r,
  /etc/udev/{,**} r,

  / r,
  @{efi}/config-* r,

        /var/tmp/ r,
        /var/tmp/modules_@{rand6} rw,
  owner /var/tmp/mkinitramfs_@{rand6} rw,
  owner /var/tmp/mkinitramfs_@{rand6}/ rw,
  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
  owner /var/tmp/mkinitramfs-@{rand6} rw,
  owner /var/tmp/mkinitramfs-*_@{rand6} rw,
  owner /var/tmp/mkinitramfs-EFW_@{rand10} rw,
  owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl,

  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,

  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/devices/ r,
  @{sys}/devices/@{pci_bus}/ r,
  @{sys}/devices/@{pci}/ r,
  @{sys}/devices/@{pci}/drm/card@{int}/ r,
  @{sys}/devices/@{pci}/drm/renderD128/ r,
  @{sys}/devices/@{pci}/drm/renderD129/ r,
  @{sys}/devices/@{pci}/modalias r,
  @{sys}/devices/virtual/block/dm-@{int}/slaves/ r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/module/firmware_class/parameters/path r,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/cmdline r,
  @{PROC}/swaps r,

  profile ldd flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    @{ldd_path}  mrix,

    @{bin}/* mr,
    @{sbin}/* mr,
    @{lib}/**  mr,

    /usr/share/brltty/initramfs/brltty.sh r,

    include if exists <local/initramfs-hooks_ldd>
  }

  include if exists <local/initramfs-hooks>
}

# vim:syntax=apparmor
