# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}
@{att} = /att/kmod/
profile kmod /{,usr/}bin/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/app/kmod>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability dac_override,
  capability mknod,
  capability net_admin,
  capability sys_module,
  capability syslog,

  network inet raw,

  @{exec_path} mrix,

  @{sh_path}         rix,
  @{bin}/basename    rix,
  @{bin}/false       rix,
  @{bin}/id          rix,
  @{sbin}/sysctl     rcx -> sysctl,
  @{bin}/true        rix,

  @{lib}/modules/*/modules.* rw,

  @{run}/modprobe.d/{,*.conf} r,

  /tmp/**/*.ko{,.zst} r,
  /usr/src/*/*.ko r,
  /var/lib/dkms/**/module/*.ko r,
  /var/lib/dpkg/triggers/* r,
  /var/lib/ebtables/lock r,

  owner /var/tmp/*modules*/{,**} rw,
  owner /var/tmp/dracut.*/{,**} rw,

  owner @{efi}/System.map-* r,
  owner @{tmp}/mkinitcpio.*/{,**} rw,

  # For local kernel build
  owner @{tmp}/depmod.*/lib/modules/*/ r,
  owner @{tmp}/depmod.*/lib/modules/*/modules.* rw,
  owner @{user_build_dirs}/**/System.map r,
  owner @{user_build_dirs}/**/lib/modules/*/ r,
  owner @{user_build_dirs}/**/lib/modules/*/modules.* rw,
  owner @{user_build_dirs}/**/lib/modules/*/kernel/{,**/} r,
  owner @{user_build_dirs}/**/lib/modules/*/kernel/**/*.ko r,

        @{run}/xtables.lock r,
  owner @{run}/tmpfiles.d/ w,
  owner @{run}/tmpfiles.d/static-nodes.conf w,

  @{sys}/module/{,**} r,

  /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,
  deny unix (receive) type=stream,

  profile sysctl flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>

    @{sbin}/sysctl mr,

    /etc/sysctl.conf r,
    /etc/sysctl.d/{,**} r,
    @{lib}/sysctl.d/{,**} r,

    include if exists <local/kmod_sysctl>
  }

  include if exists <local/kmod>
}

# vim:syntax=apparmor
