From 2efdd6f5274af00e48adc4da0ab77e03805191f4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 7 Sep 2025 19:43:44 +0200
Subject: [PATCH] feat(profile): improve ufw-init

fix #843
---
 apparmor.d/groups/firewall/ufw-init | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init
index aae80b87d..fcb9d8b6c 100644
--- a/apparmor.d/groups/firewall/ufw-init
+++ b/apparmor.d/groups/firewall/ufw-init
@@ -11,8 +11,10 @@ profile ufw-init @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_override,
   capability dac_read_search,
   capability net_admin,
+  capability net_raw,
 
   network inet dgram,
   network inet raw,
@@ -27,12 +29,29 @@ profile ufw-init @{exec_path} {
   @{sbin}/sysctl               rCx -> sysctl,
   @{sbin}/xtables-legacy-multi rix,
   @{sbin}/xtables-nft-multi    rix,
+  @{bin}/kmod                  rCx -> kmod,
 
   /etc/default/ufw r,
   /etc/ufw/* r,
 
+  @{run}/xtables.lock rwk,
+
   @{PROC}/@{pid}/net/ip_tables_names r,
-  # @{PROC}/sys/net/ipv{4,6}/** rw,
+  @{PROC}/sys/kernel/modprobe r,
+
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    capability sys_module,
+
+    @{run}/xtables.lock r,
+
+    @{sys}/module/compression r,
+    @{sys}/module/x_tables/initstate r,
+
+    include if exists <local/ufw-init_kmod>
+  }
 
   profile sysctl {
     include <abstractions/base>