# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/packagekitd
@{att} = /att/packagekitd/
profile packagekitd /{,usr/}lib{,exec,32,64}/packagekitd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>

  include <abstractions/bus-system>
  include <abstractions/bus/system/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability mknod,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_nice,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  signal send set=int peer=apt-methods-*,
  signal send set=term peer=systemd-inhibit,

  include <abstractions/bus/system/own>

  dbus bind bus=system name=org.freedesktop.PackageKit{,.*},
  dbus receive bus=system path=/**
       interface=org.freedesktop.PackageKit{,.*}
       peer=(name="@{busname}"),
  dbus send bus=system path=/**
       interface=org.freedesktop.PackageKit{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=system path=/**
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=system path=/**
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=system path=/**
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.PackageKit{,.*}}"),
  dbus send bus=system path=/**
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  @{exec_path} mr,

  @{bin}/gpg{,2}  rcx -> gpg,
  @{bin}/gpgconf  rcx -> gpg,
  @{bin}/gpgsm    rcx -> gpg,

  @{sh_path}            rix,
  @{bin}/cp             rix,
  @{bin}/echo           rix,
  @{bin}/gdbus          rix,
  @{bin}/gzip           rix,
  @{bin}/id             rix,
  @{sbin}/ldconfig      rix,
  @{bin}/repo2solv      rix,
  @{bin}/tar            rix,
  @{bin}/test           rix,
  @{bin}/touch          rix,

  @{bin}/appstreamcli                rpx,
  @{bin}/arch-audit                  rpx,

  @{bin}/fc-cache                    rpx,
  @{bin}/systemctl                   rcx -> systemctl,
  @{bin}/glib-compile-schemas        rpx,
  @{bin}/install-info                rpx,
  @{bin}/ischroot                    rpx,


  @{bin}/systemd-inhibit             rpx,
  @{bin}/update-desktop-database     rpx,

  @{lib}/cnf-update-db               rpx,
  @{lib}/update-notifier/update-motd-updates-available  rpx,
  @{lib}/zypp/plugins/appdata/InstallAppdata rpux, # TODO: write the profile
  /usr/share/libalpm/scripts/*       rpx,

  #aa:lint ignore=too-wide
  # Install/update packages
  / r,
  /*{,/} rw,
  @{efi}/** rwl -> @{efi}/**,
  /etc/** rwl -> /etc/**,
  /opt/** rwl -> /opt/**,
  /srv/** rwl -> /srv/**,
  /usr/** rwlk -> /usr/**,
  /var/** rwlk -> /var/**,

        /tmp/apt-changelog-@{rand6}/ w,
        /tmp/apt-changelog-@{rand6}/*.changelog rw,
  owner @{tmp}/alpm_*/{,**} rw,
  owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
  owner @{tmp}/packagekit* rw,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,

  owner @{run}/systemd/users/@{uid} r,

  owner /dev/shm/AP_0x@{rand6}/{,**} rw,
  owner /dev/shm/ r,

  @{sys}/**/ r,
  @{sys}/devices/**/modalias r,

        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/sys/kernel/random/uuid r,
        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/ptmx r,
  /dev/tty rw,

  profile gpg flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    @{bin}/gpg{,2}  mr,
    @{bin}/gpgconf  mr,
    @{bin}/gpgsm    mr,

    @{bin}/gpg-agent rix,
    @{bin}/scdaemon  rix,
    @{lib}/{,gnupg/}scdaemon rix,

    /etc/gcrypt/hwf.deny r,

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,


    owner /etc/pacman.d/gnupg/ r,
    owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,

      owner @{run}/user/@{uid}/gnupg/ r,
    owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,

    include if exists <local/packagekitd_gpg>
  }

  profile systemctl flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/systemctl>

    capability net_admin,

    include if exists <local/packagekitd_systemctl>
  }

  include if exists <local/packagekitd>
}

# vim:syntax=apparmor
