From 8b542434bdb1435ca67169bee6fa8911b3d802a7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 00:52:38 +0200
Subject: [PATCH] feat(profile): update kdump profiles.

---
 apparmor.d/profiles-g-l/kdump-config        | 49 +++++++++++++++++++--
 apparmor.d/profiles-g-l/kdump-tools-init    | 38 ++++++++++++++++
 apparmor.d/profiles-g-l/kdump_mem_estimator | 36 +++++++++++++++
 dists/flags/main.flags                      |  2 +
 4 files changed, 122 insertions(+), 3 deletions(-)
 create mode 100644 apparmor.d/profiles-g-l/kdump-tools-init
 create mode 100644 apparmor.d/profiles-g-l/kdump_mem_estimator

diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config
index e6ec78f67..2b3516202 100644
--- a/apparmor.d/profiles-g-l/kdump-config
+++ b/apparmor.d/profiles-g-l/kdump-config
@@ -7,32 +7,69 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{sbin}/kdump-config
-profile kdump-config @{exec_path} {
+profile kdump-config @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
-  ptrace readby peer=systemd-journald,
+  capability sys_admin,
+
+  ptrace readby peer=@{p_systemd_journald},
 
   @{exec_path} mr,
 
-  @{sh_path}        ix,
+  @{sh_path}       rix,
   @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cmp        ix,
+  @{bin}/cp         ix,
   @{bin}/cut        ix,
   @{bin}/file       ix,
   @{bin}/find       ix,
+  @{bin}/flock      ix,
   @{bin}/grep       ix,
   @{bin}/hexdump    ix,
   @{bin}/ln         ix,
   @{bin}/logger     ix,
+  @{bin}/plymouth   Px,
+  @{bin}/readlink   ix,
   @{bin}/rev        ix,
   @{bin}/run-parts  ix,
   @{bin}/sed        ix,
+  @{bin}/systemctl  Cx -> systemctl,
+  @{bin}/uname      ix,
   @{sbin}/kexec     Cx -> kexec,
   @{sbin}/sysctl    Cx -> sysctl,
 
   /etc/kernel/postinst.d/kdump-tools rPx,
 
+  /etc/kdump/{,**} r,
+  /etc/default/kdump-tools r,
+  /etc/magic r,
+
+  / r,
+  @{efi}/ r,
+
+        /var/crash/kdump_lock wk,
+        /var/crash/kexec_cmd w,
   owner /var/lib/kdump/{,**} rw,
 
+  @{sys}/firmware/efi/efivars/ r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
+  @{sys}/kernel/kexec_crash_loaded r,
+
+  @{PROC}/cmdline r,
+  @{PROC}/iomem r,
+
+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/kdump-config_systemctl>
+  }
+
   profile sysctl {
     include <abstractions/base>
 
@@ -51,6 +88,12 @@ profile kdump-config @{exec_path} {
 
     @{sbin}/kexec mr,
 
+    @{efi}/* r,
+
+    owner /var/lib/kdump/* r,
+
+    @{PROC}/iomem r,
+
     include if exists <local/kdump-config_kexec>
   }
 
diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init
new file mode 100644
index 000000000..b5af4dcc9
--- /dev/null
+++ b/apparmor.d/profiles-g-l/kdump-tools-init
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/init.d/kdump-tools
+profile kdump-tools-init @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+  @{sh_path} mr,
+
+  @{bin}/cat            ix,
+  @{bin}/plymouth       Px,
+  @{bin}/run-parts      ix,
+  @{bin}/systemctl      Cx -> systemctl,
+  @{sbin}/kdump-config  Px,
+
+  /etc/default/kdump-tools r,
+
+  @{PROC}/cmdline r,
+
+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/kdump-tools-init_systemctl>
+  }
+
+  include if exists <local/kdump-tools-init>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator
new file mode 100644
index 000000000..b80a89343
--- /dev/null
+++ b/apparmor.d/profiles-g-l/kdump_mem_estimator
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator
+profile kdump_mem_estimator @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sh_path} r,
+  @{bin}/cat                               ix,
+  @{bin}/mkdir                             ix,
+  @{bin}/uname                             ix,
+  @{bin}/systemctl                         Cx -> systemctl,
+  @{bin}/uname                             ix,
+
+  owner /var/lib/kdump/mem* w,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/kdump_mem_estimator_systemctl>
+  }
+
+  include if exists <local/kdump_mem_estimator>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index b1bd2fa0e..9faad80f9 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -191,7 +191,9 @@ kconf_update complain
 kde-powerdevil attach_disconnected,mediate_deleted,complain
 kde-systemd-start-condition complain
 kded complain
+kdump_mem_estimator complain
 kdump-config complain
+kdump-tools-init  complain,attach_disconnected
 kernel complain
 kernel-install complain
 kernel-postinst-kdump complain