# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin}
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}

@{exec_path} = @{lib_dirs}/snapd/snapd
@{att} = ""
profile snapd /{{,usr/}lib{,exec,32,64}/snapd/snapd,snap/{snapd,core}/{,x}[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}/{,usr/}lib{,exec,32,64}/snapd/snapd} flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability mac_admin,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,

  mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
  umount /tmp/syscheck-mountpoint-@{int}/,
  umount /snap/*/*/,

  ptrace read peer=@{p_systemd},
  ptrace read peer=snap{,.*},

  signal send set=kill peer=snapd//journalctl,

  dbus send bus=system path=/org/freedesktop/
         interface=org.freedesktop.login1.Manager
         member={SetWallMessage,ScheduleShutdown}
         peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),

  dbus send bus=system path=/org/freedesktop/timedate1
       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name=org.freedesktop.timedate1),

  @{exec_path} mrix,

  @{sh_path}                      rix,
  @{sbin}/adduser                 rpx,
  @{sbin}/apparmor_parser         rpx,
  @{bin}/cp                       rix,
  @{bin}/getent                   rix,
  @{sbin}/groupadd                rpx,
  @{bin}/gzip                     rix,
  @{bin}/hostnamectl              rpx,
  @{bin}/journalctl               rcx -> journalctl,
  @{bin}/kmod                     rpx,
  @{bin}/mount                    rix,
  @{sbin}/runuser                 rcx -> runuser,
  @{bin}/ssh-keygen               rpx,
  @{bin}/sync                     rix,
  @{bin}/systemctl                rcx -> systemctl,
  @{bin}/systemd-detect-virt      rpx,
  @{bin}/tar                      rix,
  @{bin}/udevadm                  rpx,
  @{bin}/umount                   rix,
  @{bin}/unsquashfs               rix,
  @{bin}/update-desktop-database  rpx,
  @{sbin}/useradd                 rpx,

  @{bin_dirs}/fc-cache-*              mr,
  @{bin_dirs}/snap                  rpux,
  @{bin_dirs}/xdelta3                rix,
  @{lib_dirs}/@{multiarch}/**         mr,
  @{lib_dirs}/@{multiarch}/ld-*.so   rix,
  @{lib_dirs}/snapd/apparmor_parser  rpx,
  @{lib_dirs}/snapd/snap-discard-ns  rpx,
  @{lib_dirs}/snapd/snap-seccomp     rpx,
  @{lib_dirs}/snapd/snap-update-ns   rpx,

  /usr/share/bash-completion/{,**} r,
  /usr/share/dbus-1/{system,session}.d/ rw,
  /usr/share/dbus-1/{system,session}.d/snapd* rw,
  /usr/share/dbus-1/services/*snap* r,
  /usr/share/polkit-1/actions/{,**} r,
  /usr/share/polkit-1/actions/snap.*.policy* rw,

  @{etc_ro}/environment r,
  /etc/apparmor.d/*snapd.snap* r,
  /etc/dbus-1/system.d/{,**/} r,
  /etc/fstab r,
  /etc/mime.types r,
  /etc/modprobe.d/{,**/} r,
  /etc/modules-load.d/{,**/} r,
  /etc/modules-load.d/*snap* rw,
  /etc/polkit-1/rules.d/{,**/} r,
  /etc/systemd/system/{,**/} r,
  /etc/systemd/system/snap* rw,
  /etc/systemd/user/{,**/} rw,
  /etc/systemd/user/**/*snap* rw,
  /etc/systemd/user/*snap* rw,
  /etc/udev/rules.d/{,*snap*} rw,

  /snap/{,**} rw,
  /var/cache/snapd/{,**} rwlk,
  /var/lib/snapd/{,**} rwlk,
  /var/snap/{,**} rw,

  /var/cache/apparmor/{,*/} r,
  /var/cache/apparmor/*/snap* rw,

  /tmp/ r,
  /tmp/read-file@{int}/{,**} rw,
  /tmp/snapd@{int}/ rw,
  /tmp/snapd@{int}/** rw,
  /tmp/syscheck-mountpoint-@{int}/{,**} rw,
  /tmp/syscheck-squashfs-@{int} rw,

  @{efi}/ r,
  @{efi}/grub/grubenv r,

  / r,
  /home/ r,
  @{HOME}/ r,
  @{HOME}/snap/{,**} rw,
  @{HOME}/.snap*/{,**} rw,

  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rw,
  owner @{run}/mount/utab.lock wk,

  @{run}/user/ r,
  @{run}/user/@{uid}/ r,
  @{run}/user/@{uid}/snap.*/{,**} rw,
  @{run}/user/@{uid}/snapd-session-agent.socket rw,
  @{run}/user/snap.*/{,**} rw,

  @{run}/mount/utab.act rk,
  @{run}/snapd*.socket rw,
  @{run}/snapd/{,**} rw,
  @{run}/snapd/lock/*.lock rwk,
  @{run}/systemd/notify rw,
  @{run}/systemd/private rw,

  @{sys}/fs/cgroup/{,*/} r,
  @{sys}/fs/cgroup/*.slice/ r,
  @{sys}/fs/cgroup/*.slice/{,**/} r,
  @{sys}/fs/cgroup/*.slice/**/cgroup.procs r,
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/kernel/kexec_loaded r,
  @{sys}/kernel/security/apparmor/.notify r,
  @{sys}/kernel/security/apparmor/features/{,**} r,
  @{sys}/kernel/security/apparmor/profiles r,

        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/mounts r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/cgroups r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/version r,
  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/mountinfo r,

  /dev/loop-control rw,

  profile systemctl flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/systemctl>

    capability net_admin,
    capability sys_resource,

    network netlink raw,

    ptrace read peer=@{p_systemd},

    /etc/systemd/system/{,**/} r,
    /etc/systemd/system/snap* rw,
    /etc/systemd/user/{,**/} rw,
    /etc/systemd/user/**/*snap* rw,
    /etc/systemd/user/*snap* rw,

    @{run}/systemd/notify rw,

    include if exists <local/snapd_systemctl>
  }

  profile journalctl flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>

    capability net_admin,
    capability sys_resource,

    network netlink raw,

    signal receive set=kill peer=snapd,

    @{bin}/journalctl mr,

    /etc/machine-id r,
    /var/lib/dbus/machine-id r,

    /{run,var}/log/journal/ r,
    /{run,var}/log/journal/@{hex32}/{,*} r,

    @{run}/systemd/notify w,

    include if exists <local/snapd_journalctl>
  }

  profile runuser flags=(complain) {
    include <abstractions/base-strict>

    @{sbin}/runuser mr,

    @{sh_path}   ix,
    @{bin}/gzip  ix,
    @{bin}/tar   ix,

    owner @{HOME}/snap/*/{,**} r,

    include if exists <local/snapd_runuser>
  }

  include if exists <local/snapd>
}

# vim:syntax=apparmor
