From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 31 May 2025 13:50:20 +0200
Subject: [PATCH] feat(profile): add initial profile for systemd-initctl.

---
 apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++
 dists/flags/main.flags                    |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 apparmor.d/groups/systemd/systemd-initctl

diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl
new file mode 100644
index 000000000..05f32a7f6
--- /dev/null
+++ b/apparmor.d/groups/systemd/systemd-initctl
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/systemd/systemd-initctl
+profile systemd-initctl @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/common/systemd>
+
+  capability net_admin,
+
+  unix type=stream addr=@@{udbus}/bus/systemd-initctl/,
+
+  @{exec_path} mr,
+
+  @{run}/initctl rw,
+  @{run}/systemd/notify rw,
+
+  include if exists <local/systemd-initctl>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 6a030fe63..e73dd4cd5 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain
 systemd-homed attach_disconnected,complain
 systemd-homework complain
 systemd-inhibit attach_disconnected,complain
+systemd-initctl attach_disconnected,complain
 systemd-journald attach_disconnected,mediate_deleted
 systemd-mount complain
 systemd-network-generator attach_disconnected,complain