From c4e607ebfef356bbaaa75e5321c153c85eebf094 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 10 Mar 2023 10:25:18 +0000
Subject: [PATCH] feat(profiles): add landscape-sysinfo profiles.

---
 apparmor.d/profiles-g-l/landscape-sysinfo     | 47 +++++++++++++++++++
 .../profiles-g-l/landscape-sysinfo.wrapper    | 34 ++++++++++++++
 2 files changed, 81 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/landscape-sysinfo
 create mode 100644 apparmor.d/profiles-g-l/landscape-sysinfo.wrapper

diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo
new file mode 100644
index 000000000..1d3da425d
--- /dev/null
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/landscape-sysinfo
+profile landscape-sysinfo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/python>
+
+  capability dac_override,
+  capability kill,
+  capability sys_ptrace,
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  ptrace (read),
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/who rix,
+
+  /var/log/landscape/{,**} rw,
+
+  @{run}/utmp rwk,
+
+  @{sys}/class/thermal/ r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/status r,
+        @{PROC}/uptime r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/tty[0-9]* rw,
+
+  include if exists <local/landscape-sysinfo>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
new file mode 100644
index 000000000..4d185c370
--- /dev/null
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper
+profile landscape-sysinfo.wrapper @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/bc                 rix,
+  /{usr/,}bin/cat                rix,
+  /{usr/,}bin/cut                rix,
+  /{usr/,}bin/date               rix,
+  /{usr/,}bin/find               rix,
+  /{usr/,}bin/grep               rix,
+  /{usr/,}bin/landscape-sysinfo  rPx,
+
+  / r,
+  /etc/default/locale r,
+  
+  /var/lib/landscape/landscape-sysinfo.cache rw,
+
+  @{PROC}/loadavg r,
+
+  /dev/tty[0-9]* rw,
+
+  include if exists <local/landscape-sysinfo.wrapper>
+}
\ No newline at end of file