From bb6ca01718dad6cd91055c8d2c825143d00ca2f6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 19:36:23 +0200
Subject: [PATCH] feat(profile): ufw: integrate ufw-init in ufw, use sysctl in
 subprofile.

---
 apparmor.d/groups/firewall/ufw      | 22 ++++++++++++++++++----
 apparmor.d/groups/firewall/ufw-init | 21 +++++++++++++++++++--
 2 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw
index 3b931fb2b..39517ee6c 100644
--- a/apparmor.d/groups/firewall/ufw
+++ b/apparmor.d/groups/firewall/ufw
@@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{python_path}               rix,
-  @{bin}/ r,
+  @{sbin}/ r,
   @{bin}/cat                   rix,
-  @{bin}/echo                  rix,
   @{bin}/env                   r,
   @{bin}/kmod                  rCx -> kmod,
-  @{lib}/ufw/ufw-init          rix,
-  @{sbin}/sysctl               rix,
+  @{lib}/ufw/ufw-init          rPx,
+  @{sbin}/sysctl               rCx -> sysctl,
   @{sbin}/xtables-legacy-multi rix,
   @{sbin}/xtables-nft-multi    rix,
 
@@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) {
     include if exists <local/ufw_kmod>
   }
 
+  profile sysctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability net_admin,
+
+    @{sbin}/sysctl mr,
+
+    /etc/ufw/sysctl.conf r,
+
+    @{PROC}/sys/net/ipv{4,6}/** rw,
+
+    include if exists <local/ufw_sysctl>
+  }
+
   include if exists <local/ufw>
 }
 
diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init
index 5c0521790..aae80b87d 100644
--- a/apparmor.d/groups/firewall/ufw-init
+++ b/apparmor.d/groups/firewall/ufw-init
@@ -11,6 +11,7 @@ profile ufw-init @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability net_admin,
 
   network inet dgram,
@@ -22,7 +23,8 @@ profile ufw-init @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}                   rix,
-  @{sbin}/sysctl               rix,
+  @{bin}/echo                  rix,
+  @{sbin}/sysctl               rCx -> sysctl,
   @{sbin}/xtables-legacy-multi rix,
   @{sbin}/xtables-nft-multi    rix,
 
@@ -30,7 +32,22 @@ profile ufw-init @{exec_path} {
   /etc/ufw/* r,
 
   @{PROC}/@{pid}/net/ip_tables_names r,
-  @{PROC}/sys/net/ipv{4,6}/** rw,
+  # @{PROC}/sys/net/ipv{4,6}/** rw,
+
+  profile sysctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability net_admin,
+
+    @{sbin}/sysctl mr,
+
+    /etc/ufw/sysctl.conf r,
+
+    @{PROC}/sys/net/ipv{4,6}/** rw,
+
+    include if exists <local/ufw-init_sysctl>
+  }
 
   include if exists <local/ufw-init>
 }