feat(abs): add the tpm abstraction.

2025-09-06 23:55:42 +02:00 · 2025-09-06 23:55:42 +02:00 · c239203e72
commit c239203e72
parent 618b1116f8
3 changed files with 18 additions and 5 deletions
--- a/apparmor.d/abstractions/tpm
+++ b/apparmor.d/abstractions/tpm
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2016-2017 Canonical Ltd
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM
+# resource manager /dev/tpmrm@{int}
+
+  abi <abi/4.0>,
+
+  /dev/tpm@{int} rw,
+  /dev/tpmrm@{int} rw,
+
+  include if exists <abstractions/tpm.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  include <abstractions/sqlite>
+  include <abstractions/tpm>

  capability dac_override,
  capability dac_read_search,
@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  /dev/mei@{int} rw,
  /dev/mem r,
  /dev/mtd@{int} rw,
-  /dev/tpm@{int} rw,
-  /dev/tpmrm@{int} rw,
  /dev/wmi/* r,

  profile gpg flags=(attach_disconnected,complain) {
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/sbctl
 profile sbctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/tpm>

  capability dac_read_search,
  capability linux_immutable,
@ -34,9 +35,6 @@ profile sbctl @{exec_path} {
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

-  /dev/pts/@{int} rw,
-  /dev/tpmrm@{int} rw,
-
  # File Inherit
  deny network inet stream,
  deny network inet6 stream,