From 31e90e6c58574d45aac59a91ebd094d6a05f6919 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 19 May 2025 00:00:44 +0200
Subject: [PATCH] feat(profile): add kernel update/install profiles.

---
 apparmor.d/profiles-g-l/kdump-config          | 60 ++++++++++++++++
 apparmor.d/profiles-g-l/kernel                | 71 +++++++++++++++++++
 apparmor.d/profiles-g-l/kernel-postinst-kdump | 34 +++++++++
 dists/flags/main.flags                        |  3 +
 4 files changed, 168 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/kdump-config
 create mode 100644 apparmor.d/profiles-g-l/kernel
 create mode 100644 apparmor.d/profiles-g-l/kernel-postinst-kdump

diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config
new file mode 100644
index 000000000..e6ec78f67
--- /dev/null
+++ b/apparmor.d/profiles-g-l/kdump-config
@@ -0,0 +1,60 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{sbin}/kdump-config
+profile kdump-config @{exec_path} {
+  include <abstractions/base>
+
+  ptrace readby peer=systemd-journald,
+
+  @{exec_path} mr,
+
+  @{sh_path}        ix,
+  @{bin}/basename   ix,
+  @{bin}/cut        ix,
+  @{bin}/file       ix,
+  @{bin}/find       ix,
+  @{bin}/grep       ix,
+  @{bin}/hexdump    ix,
+  @{bin}/ln         ix,
+  @{bin}/logger     ix,
+  @{bin}/rev        ix,
+  @{bin}/run-parts  ix,
+  @{bin}/sed        ix,
+  @{sbin}/kexec     Cx -> kexec,
+  @{sbin}/sysctl    Cx -> sysctl,
+
+  /etc/kernel/postinst.d/kdump-tools rPx,
+
+  owner /var/lib/kdump/{,**} rw,
+
+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    @{PROC}/sys/kernel/panic_on_oops rw,
+
+    include if exists <local/kdump-config_sysctl>
+  }
+
+  profile kexec {
+    include <abstractions/base>
+
+    capability sys_admin,
+    capability sys_boot,
+
+    @{sbin}/kexec mr,
+
+    include if exists <local/kdump-config_kexec>
+  }
+
+  include if exists <local/kdump-config>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel
new file mode 100644
index 000000000..2382ea062
--- /dev/null
+++ b/apparmor.d/profiles-g-l/kernel
@@ -0,0 +1,71 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path}  = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/*
+@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/*
+profile kernel @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability sys_module,
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/{,m,g}awk  rix,
+  @{bin}/cat        rix,
+  @{bin}/chmod      rix,
+  @{bin}/cut        rix,
+  @{bin}/dirname    rix,
+  @{bin}/kmod       rix,
+  @{bin}/mv         rix,
+  @{bin}/rm         rix,
+  @{bin}/rmdir      rix,
+  @{bin}/sed        rix,
+  @{bin}/sort       rix,
+  @{bin}/touch      rix,
+  @{bin}/tr         rix,
+  @{bin}/uname      rix,
+  @{bin}/which      rix,
+
+  @{bin}/apt-config               rPx,
+  @{bin}/dpkg                     rPx -> child-dpkg,
+  @{bin}/systemd-detect-virt      rPx,
+  @{bin}/update-alternatives      rPx,
+  @{sbin}/dkms                    rPx,
+  @{sbin}/update-grub             rPx,
+  @{sbin}/update-initramfs        rPx,
+  @{lib}/dkms/dkms_autoinstaller  rPx,
+
+  @{lib}/modules/*/updates/ w,
+  @{lib}/modules/*/updates/dkms/ w,
+
+  /etc/kernel/header_postinst.d/* r,
+  /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
+
+  # For shell pwd
+  / r,
+  /boot/ r,
+
+  /etc/apt/apt.conf.d/ r,
+  /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
+  /etc/modprobe.d/ r,
+  /etc/modprobe.d/*.conf r,
+
+  @{run}/reboot-required w,
+  @{run}/reboot-required.pkgs rw,
+
+  @{PROC}/devices r,
+  @{PROC}/cmdline r,
+
+  include if exists <local/kernel>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump
new file mode 100644
index 000000000..91af3a842
--- /dev/null
+++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/kernel/postinst.d/kdump-tools
+profile kernel-postinst-kdump @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{bin}/du            rix,
+  @{bin}/find          rix,
+  @{bin}/gawk          rix,
+  @{bin}/mv            rix,
+  @{bin}/rm            rix,
+  @{bin}/sync          rix,
+  @{sbin}/mkinitramfs  rPx,
+
+  owner /var/lib/kdump/* w,
+
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+
+  include if exists <local/kernel-postinst-kdump>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 4332c78d9..5f5d8dc5f 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -192,7 +192,10 @@ kconf_update complain
 kde-powerdevil attach_disconnected,mediate_deleted,complain
 kde-systemd-start-condition complain
 kded complain
+kdump-config complain
+kernel complain
 kernel-install complain
+kernel-postinst-kdump complain
 keyboxd complain
 kglobalacceld complain
 kio_http_cache_cleaner complain