# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# Copyright (C) 2022 Jeroen Rijken
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/thermald
@{att} = /att/thermald/
profile thermald /{,usr/}{,s}bin/thermald  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/upower-observe>

  capability sys_boot,

  include <abstractions/bus/system/own>

  dbus bind bus=system name=org.freedesktop.thermald{,.*},
  dbus receive bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.thermald{,.*}
       peer=(name="@{busname}"),
  dbus send bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.thermald{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.thermald{,.*}}"),
  dbus send bus=system path=/org/freedesktop/thermald{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  @{exec_path} mr,

  /etc/thermald/{,*} r,

  owner @{run}/thermald/ rw,
  owner @{run}/thermald/** rw,
  owner @{run}/thermald/thermald.pid rwk,

  @{sys}/class/hwmon/ r,
  @{sys}/class/thermal/ r,
  @{sys}/devices/platform/ r,
  @{sys}/devices/platform/** r,

  @{sys}/devices/system/cpu/present r,
  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
  @{sys}/devices/system/cpu/intel_pstate/no_turbo rw,
  @{sys}/devices/system/cpu/intel_pstate/status r,

  @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
  @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_max_uw r,
  @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_min_uw r,
  @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmax_us r,
  @{sys}/devices/@{pci}/power_limits/power_limit_@{int}_tmin_us r,

  @{sys}/devices/**/hwmon@{int}/ r,
  @{sys}/devices/**/hwmon@{int}/name r,
  @{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r,
  @{sys}/devices/**/path r,

  @{sys}/devices/platform/*/uuids/current_uuid rw,

  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/product_uuid r,

  @{sys}/devices/virtual/thermal/**/{type,temp} r,

  @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/mode rw,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/policy rw,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_temp rw,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_type r,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_@{int}_hyst r,
  @{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev@{int}_trip_point r,

  @{sys}/devices/virtual/thermal/cooling_device[@{int}/ r,
  @{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
  @{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,

  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/ r,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/**/name r,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/ r,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/* r,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/constraint_* w,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/enabled w,
  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:@{int}/{,*} r,

  /dev/acpi_thermal_rel rw,
  /dev/input/ r,
  /dev/input/event@{int} r,

  include if exists <local/thermald>
}

# vim:syntax=apparmor
