From 01fcfc54387e3d284270c5345fc13d7eb2b4fae4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 15 Mar 2025 00:27:14 +0100
Subject: [PATCH] feat(profile): add finalrd.

---
 apparmor.d/profiles-a-f/finalrd | 80 +++++++++++++++++++++++++++++++++
 dists/flags/main.flags          |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/finalrd

diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd
new file mode 100644
index 000000000..bdea03ef7
--- /dev/null
+++ b/apparmor.d/profiles-a-f/finalrd
@@ -0,0 +1,80 @@
+
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/finalrd
+profile finalrd @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability sys_admin,
+  capability sys_chroot,
+
+  remount options=(rw nodev nosuid relatime remount) @{run}/,
+
+  @{exec_path} mr,
+
+  @{sh_path}               rix,
+  @{bin}/cp                rix,
+  @{bin}/dirname           rix,
+  @{bin}/env               rix,
+  @{bin}/find              rix,
+  @{bin}/grep              rix,
+  @{bin}/ldconfig{,.real}  rix,
+  @{bin}/ln                rix,
+  @{bin}/mkdir             rix,
+  @{bin}/mount             rix,
+  @{bin}/readlink          rix,
+  @{bin}/realpath          rix,
+  @{bin}/rm                rix,
+  @{bin}/run-parts         rix,
+  @{bin}/sed               rix,
+  @{bin}/touch             rix,
+
+  @{bin}/ldd                         rCx -> ldd,
+  @{lib}/@{multiarch}/ld-linux-*so*  rCx -> ldd,
+
+  @{bin}/systemd-tmpfiles rPx,
+  @{lib}/systemd/systemd-shutdown rPx,
+
+  @{lib}/{,*} r,
+  @{bin}/{,*} r,
+
+  /usr/share/finalrd/mdadm.finalrd       ix 
+  /usr/share/finalrd/open-iscsi.finalrd  ix,
+  /usr/share/finalrd/{,**} r,
+  /usr/share/initramfs-tools/hook-functions r,
+
+  /etc/fstab r,
+  /etc/iscsi/initiatorname.iscsi r,
+  /etc/iscsi/iscsid.conf r,
+
+  / r,
+
+  @{run}/initramfs/{,**} rw,
+  @{run}/ r,
+  @{run}/mount/ r,
+  @{run}/finalrd-libs.conf rw,
+
+  @{PROC}/@{pid}/mountinfo r,
+
+  profile ldd {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    @{bin}/ldd mr,
+    @{lib}/@{multiarch}/ld-linux-*so* mrix,
+    @{lib}/ld-linux.so* mr,
+
+    include if exists <local/finalrd_ldd>
+  }
+
+  include if exists <local/finalrd>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d4e7d5a9f..c309f97e1 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -96,6 +96,7 @@ fail2ban-client attach_disconnected,complain
 fail2ban-server attach_disconnected,complain
 fdisk complain
 filezilla complain
+finalrd complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
 firewalld attach_disconnected,complain