# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/mkinitramfs
@{att} = ""
profile mkinitramfs /{,usr/}{,s}bin/mkinitramfs flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>

  capability chown,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability sys_admin, # optional: no audit
  capability syslog,

  mqueue getattr type=posix,

  @{exec_path} r,
  @{sh_path}   rix,

  @{bin}/ r,
  @{lib}/ r,

  @{bin}/{,e}grep   rix,
  @{bin}/basename   rix,
  @{bin}/bzip2      rix,
  @{bin}/cat        rix,
  @{bin}/chmod      rix,
  @{bin}/cp         rix,
  @{bin}/{,3}cpio   rix,
  @{bin}/dirname    rix,
  @{bin}/env        rix,
  @{bin}/find       rix,
  @{bin}/getopt     rix,
  @{bin}/gzip       rix,
  @{bin}/id         rix,
  @{bin}/ln         rix,
  @{bin}/lzma       rix,
  @{bin}/lzop       rix,
  @{bin}/mkdir      rix,
  @{bin}/mktemp     rix,
  @{bin}/readlink   rix,
  @{bin}/realpath   rix,
  @{bin}/rm         rix,
  @{bin}/rmdir      rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
  @{bin}/stat       rix,
  @{bin}/touch      rix,
  @{bin}/tr         rix,
  @{bin}/tsort      rix,
  @{bin}/uname      rix,
  @{bin}/uniq       rix,
  @{bin}/xargs      rix,
  @{bin}/xz         rix,
  @{bin}/zstd       rix,
  @{lib}/dracut/dracut-install rix,
  @{sbin}/blkid     rpx,

  @{bin}/kmod                 rcx -> kmod,
  @{sbin}/ldconfig            rcx -> ldconfig,
  @{ldd_path}                 rcx -> ldd,

  @{bin}/dpkg          rpx -> child-dpkg,
  @{bin}/linux-version rpx,

  @{lib}/initramfs-tools/hooks/**         rpx,
  /etc/initramfs-tools/hooks/**           rpx,
  /etc/initramfs-tools/scripts/**         rpx,
  /usr/share/initramfs-tools/hooks/**     rpx,
  /usr/share/initramfs-tools/scripts/**   rpx,

  /usr/share/initramfs-tools/{,**} r,
  /etc/initramfs-tools/{,**} r,

  /etc/xattr.conf r,

  # For shell pwd
  / r,
  /etc/ r,
  /root/ r,

  /etc/modprobe.d/{,*.conf} r,

        @{efi}/ r,
  owner @{efi}/config-* r,
  owner @{efi}/initrd.img-*.new rw,

  owner /var/lib/kdump/initramfs-tools/** rw,
  owner /var/lib/kdump/initrd.* rw,

  /var/tmp/ r,
  /var/tmp/mkinitramfs_@{rand6}/** w,
  /var/tmp/modules_@{rand6} rw,
  /var/tmp/mkinitramfs_@{rand6} rw,
  /var/tmp/mkinitramfs_@{rand6}/ rw,
  /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
  /var/tmp/mkinitramfs-@{rand6} rw,
  /var/tmp/mkinitramfs-*_@{rand6} rw,

  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w,
  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,

  @{sys}/bus/ r,
  @{sys}/bus/*/drivers/ r,
  @{sys}/bus/*/drivers/*/ r,
  @{sys}/class/ r,
  @{sys}/class/*/ r,
  @{sys}/devices/ r,
  @{sys}/devices/**/ r,
  @{sys}/devices/**/modalias r,
  @{sys}/devices/**/uevent r,
  @{sys}/module/ r,
  @{sys}/module/compression r,
  @{sys}/module/firmware_class/parameters/path r,

  @{sys}/bus/platform/drivers/simple-framebuffer/ r,
  @{sys}/fs/cgroup/system.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-*.scope/cpu.max r,

        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/mountinfo r,
        @{PROC}/@{pid}/mounts r,
        @{PROC}/cmdline r,
        @{PROC}/modules r,
  owner @{PROC}/@{pid}/fd/ r,

  profile ldd flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    @{ldd_path}  mrix,
    @{sh_path}    rix,

    @{bin}/* mr,
    @{sbin}/* mr,
    @{lib}/** mr,

    include if exists <local/mkinitramfs_ldd>
  }

  profile ldconfig flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>

    capability sys_chroot,

    @{sbin}/ldconfig  mr,

    @{sh_path}               rix,
    @{sbin}/ldconfig.real    rix,

    owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
    owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,

    include if exists <local/mkinitramfs_ldconfig>
  }

  profile kmod flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/kmod>

    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r,
    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw,
    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r,

    /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/ r,
    /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
    /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
    /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw,
    /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r,

    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r,
    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r,
    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r,
    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw,
    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r,

    @{sys}/module/compression r,

    include if exists <local/mkinitramfs_kmod>
  }

  include if exists <local/mkinitramfs>
}

# vim:syntax=apparmor
