From 0366543c39cb495e7129aee373055133b2324823 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 21:09:37 +0200
Subject: [PATCH] feat(profile): add console-setup profiles.

---
 apparmor.d/profiles-a-f/console-setup-cached  | 36 +++++++++++++++++++
 .../profiles-a-f/console-setup-keyboard       | 31 ++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/console-setup-cached
 create mode 100644 apparmor.d/profiles-a-f/console-setup-keyboard

diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached
new file mode 100644
index 000000000..332f05341
--- /dev/null
+++ b/apparmor.d/profiles-a-f/console-setup-cached
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh
+profile console-setup-cached @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability sys_tty_config,
+
+  @{exec_path} mr,
+
+  @{sh_path}     rix,
+  @{bin}/gzip    rix,
+  @{bin}/ls       ix,
+  @{bin}/mkdir    ix,
+  @{bin}/setfont  ix,
+
+  /usr/share/consolefonts/{,**} r,
+
+  @{run}/console-setup/ w,
+  @{run}/console-setup/font-loaded w,
+
+  /dev/ r,
+  /dev/tty rw,
+  /dev/tty@{int} rw,
+
+  include if exists <local/console-setup-cached>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard
new file mode 100644
index 000000000..1f4045e2e
--- /dev/null
+++ b/apparmor.d/profiles-a-f/console-setup-keyboard
@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh
+profile console-setup-keyboard @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability sys_tty_config,
+
+  @{exec_path} mrix,
+
+  @{sh_path}  rix,
+  @{bin}/gzip rix,
+  @{bin}/kbd_mode rix,
+  @{bin}/loadkeys rix,
+
+  /etc/console-setup/{,**} r,
+
+  /dev/tty@{int} rw,
+  /dev/tty rw,
+
+  include if exists <local/console-setup-keyboard>
+}
+
+# vim:syntax=apparmor