# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/virtnodedevd
@{att} = /att/virtnodedevd/
profile virtnodedevd /{,usr/}bin/virtnodedevd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

  capability net_admin,
  capability sys_admin,

  network netlink raw,

  ptrace (read) peer=virtqemud,
  ptrace (read) peer=unconfined,

  @{exec_path} mr,

  @{sbin}/mdevctl rpx,

  /usr/share/hwdata/*.ids r,
  /usr/share/pci.ids r,

  /etc/libvirt/*.conf r,
  /etc/mdevctl.d/{,**} r,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,

  owner @{run}/libvirt/common/system.token rwk,
  owner @{run}/libvirt/nodedev/ rw,
  owner @{run}/libvirt/nodedev/driver.pid wk,
  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
  owner @{run}/user/@{uid}/libvirt/nodedev/{,**} rwk,
  owner @{run}/user/@{uid}/libvirt/virtnodedevd* rwk,
  owner @{run}/virtnodedevd.pid wk,

  @{run}/utmp rk,

  @{run}/udev/data/+backlight:* r,        # For display backlights on laptops, monitors, and other screens.
  @{run}/udev/data/+bluetooth:* r,        # For bluetooth adapters, controllers, and active connections.
  @{run}/udev/data/+dmi:* r,              # for motherboard info
  @{run}/udev/data/+drm:card@{int}-* r,   # for screen outputs
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+leds:* r,             # Identifies all LEDs (keyboard, mouse, etc.)
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+platform:* r,         # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
  @{run}/udev/data/+power_supply:* r,     # For power supply devices (batteries, AC adapters, USB chargers)
  @{run}/udev/data/+rfkill:* r,           # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power
  @{run}/udev/data/+sound:card@{int} r,   # For sound card
  @{run}/udev/data/+thunderbolt:* r,      # For Thunderbolt devices, such as docks, external GPUs, and storage devices.

  @{run}/udev/data/c1:@{int} r,           # For RAM disk
  @{run}/udev/data/c10:@{int} r,          # For non-serial mice, misc features
  @{run}/udev/data/c13:@{int} r,          # For /dev/input/*
  @{run}/udev/data/c21:@{int} r,          # Generic SCSI access
  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
  @{run}/udev/data/c81:@{int}  r,         # For video4linux
  @{run}/udev/data/c89:@{int}  r,         # For I2C bus interface
  @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
  @{run}/udev/data/c99:@{int} r,          # For raw parallel ports /dev/parport*
  @{run}/udev/data/c116:@{int} r,         # For ALSA
  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
  @{run}/udev/data/c226:@{int} r,         # For DRI card /dev/dri/card@{int}
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{run}/udev/data/n@{int} r,             # For network interfaces

  @{sys}/**/ r,
  @{sys}/devices/@{pci}/net/{,**} r,
  @{sys}/devices/@{pci}/numa_node r,
  @{sys}/devices/@{pci}/resource r,
  @{sys}/devices/@{pci}/sriov_totalvfs r,
  @{sys}/devices/@{pci}/vpd r,
  @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r,
  @{sys}/devices/**/{config,device,vendor} r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
  @{sys}/devices/virtual/net/{,**} r,
  @{sys}/kernel/iommu_groups/ r,
  @{sys}/kernel/iommu_groups/@{int}/devices/ r,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/mtrr w,
  owner @{PROC}/uptime r,

  include if exists <local/virtnodedevd>
}

# vim:syntax=apparmor
