# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/wpa_action
@{att} = ""
profile wpa-action /{,usr/}{,s}bin/wpa_action flags=(complain) {
  include <abstractions/base-strict>

  capability net_admin,

  network netlink raw,

  @{exec_path} mr,

  @{sbin}/wpa_cli  rpx,

  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/cat        rix,
  @{bin}/date       rix,
  @{bin}/ifup       rix,
  @{bin}/ip         rix,
  @{bin}/ln         rix,
  @{bin}/logger     rix,
  @{bin}/rm         rix,

  /etc/wpa_supplicant/{,**} r,
  /etc/network/interfaces r,
  /etc/network/interfaces.d/{,*} r,

  owner @{run}/wpa_action.wlan@{int}.ifupdown rw,
  owner @{run}/wpa_action.wlan@{int}.timestamp rw,
  owner @{run}/network/ifstate.wlan@{int} rwk,
  owner @{run}/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan@{int}.pid rw,

  include if exists <local/wpa-action>
}

# vim:syntax=apparmor
