# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/kdump-config
@{att} = /att/kdump-config/
profile kdump-config /{,usr/}{,s}bin/kdump-config  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>

  capability sys_admin,

  @{exec_path} mr,

  @{sh_path}       rix,
  @{bin}/{,e}grep   ix,
  @{bin}/basename   ix,
  @{bin}/cat        ix,
  @{bin}/cmp        ix,
  @{bin}/cp         ix,
  @{bin}/cut        ix,
  @{bin}/file       ix,
  @{bin}/find       ix,
  @{bin}/flock      ix,
  @{bin}/hexdump    ix,
  @{bin}/ln         ix,
  @{bin}/logger     ix,
  @{bin}/plymouth   px,
  @{bin}/readlink   ix,
  @{bin}/rev        ix,
  @{bin}/rm         ix,
  @{bin}/run-parts  ix,
  @{bin}/sed        ix,
  @{bin}/systemctl  cx -> systemctl,
  @{bin}/uname      ix,
  @{sbin}/kexec     cx -> kexec,
  @{sbin}/sysctl    cx -> sysctl,

  /etc/kernel/postinst.d/kdump-tools rpx,

  /etc/kdump/{,**} r,
  /etc/default/kdump-tools r,
  /etc/magic r,

  / r,
  @{efi}/ r,

  /var/crash/kdump_lock wk,
  /var/crash/kexec_cmd w,
  /var/lib/kdump/{,**} rw,

  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,

  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
  @{sys}/kernel/kexec_crash_loaded r,

  @{PROC}/cmdline r,
  @{PROC}/iomem r,

  profile systemctl  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/systemctl>

    capability net_admin,
    capability sys_ptrace,

    ptrace read peer=@{p_systemd},

    include if exists <local/kdump-config_systemctl>
  }

  profile sysctl flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>

    @{sbin}/sysctl mr,

    @{PROC}/sys/kernel/panic_on_oops rw,

    include if exists <local/kdump-config_sysctl>
  }

  profile kexec flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>

    capability sys_admin,
    capability sys_boot,

    @{sbin}/kexec mr,

    @{efi}/* r,

    owner /var/lib/kdump/* r,

    @{PROC}/iomem r,

    include if exists <local/kdump-config_kexec>
  }

  include if exists <local/kdump-config>
}

# vim:syntax=apparmor
