From c239203e724df124cd0c0e4a35794e661a84b065 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 6 Sep 2025 23:55:42 +0200
Subject: [PATCH] feat(abs): add  the tpm abstraction.

---
 apparmor.d/abstractions/tpm   | 16 ++++++++++++++++
 apparmor.d/profiles-a-f/fwupd |  3 +--
 apparmor.d/profiles-s-z/sbctl |  4 +---
 3 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 apparmor.d/abstractions/tpm

diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm
new file mode 100644
index 000000000..ef7b30a2b
--- /dev/null
+++ b/apparmor.d/abstractions/tpm
@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2016-2017 Canonical Ltd
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM
+# resource manager /dev/tpmrm@{int}
+
+  abi <abi/4.0>,
+
+  /dev/tpm@{int} rw,
+  /dev/tpmrm@{int} rw,
+
+  include if exists <abstractions/tpm.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index d7a72c236..8447bff3e 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/mime>
   include <abstractions/nameservice-strict>
   include <abstractions/sqlite>
+  include <abstractions/tpm>
 
   capability dac_override,
   capability dac_read_search,
@@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /dev/mei@{int} rw,
   /dev/mem r,
   /dev/mtd@{int} rw,
-  /dev/tpm@{int} rw,
-  /dev/tpmrm@{int} rw,
   /dev/wmi/* r,
 
   profile gpg flags=(attach_disconnected,complain) {
diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index ef007a32c..a4fdbac88 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/sbctl
 profile sbctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/tpm>
 
   capability dac_read_search,
   capability linux_immutable,
@@ -34,9 +35,6 @@ profile sbctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
 
-  /dev/pts/@{int} rw,
-  /dev/tpmrm@{int} rw,
-
   # File Inherit
   deny network inet stream,
   deny network inet6 stream,