# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga  #aa:lint ignore=sbin
@{att} = ""
profile qemu-ga /{{,usr/}{,s}bin/qemu-ga,{,usr/}bin/qemu-ga} flags=(complain) {
  include <abstractions/base-strict>

  network bind netlink raw,
  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  @{bin}/systemctl cx -> systemctl,

  /etc/qemu/qemu-ga.conf r,

  owner @{run}/qga.state rw,
  owner @{run}/qga.state.@{rand6} rw,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,

  @{PROC}/@{pid}/net/dev r,
  @{PROC}/sys/vm/max_map_count r,

  /dev/vport@{int}p@{int} rw,

  profile systemctl flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/systemctl>

    capability net_admin,

    unix type=stream addr=@@{udbus}/bus/shutdown/,
    unix type=stream addr=@@{udbus}/bus/shutdown/system,

    unix type=stream addr=none peer=(label="@{p_systemd_logind}", addr=none),

    dbus (send receive) bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.login1{,.*}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
    dbus (send receive) bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
    dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
    dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
    dbus receive bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),

    include if exists <local/qemu-ga_systemctl>
  }

  include if exists <local/qemu-ga>
}

# vim:syntax=apparmor
