# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/lsfd
@{att} = /att/lsfd/
profile lsfd /{,usr/}bin/lsfd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/nameservice-strict>

  capability bpf,
  capability checkpoint_restore,
  capability dac_read_search,
  capability net_admin,
  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,
  capability sys_resource,
  capability syslog,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 raw,
  network inet6 stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,
  network packet dgram,

  ptrace read,
  ptrace trace,

  mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int},

  @{exec_path} mr,

  / r,
  @{att}/ r,

  owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw,

  @{run}/ r,
  @{run}/netns/ r,

  @{sys}/kernel/cpu_byteorder r,

  @{PROC}/ r,
  @{PROC}/@{pids}/ r,
  @{PROC}/@{pids}/comm r,
  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/fdinfo/@{int} r,
  @{PROC}/@{pids}/maps r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/net/* r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/syscall r,
  @{PROC}/@{pids}/task/ r,
  @{PROC}/devices r,
  @{PROC}/misc r,
  @{PROC}/partitions r,
  @{PROC}/tty/drivers r,

  include if exists <local/lsfd>
}

# vim:syntax=apparmor
