From debed741ca28295ae5eb5a0435c600af6dddcafc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 18 Mar 2025 22:52:47 +0100
Subject: [PATCH] fix(profile): ensure sbctl can access tpm.

fix #687
---
 apparmor.d/profiles-s-z/sbctl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index 4c5d62597..9dbbf0933 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -24,6 +24,7 @@ profile sbctl @{exec_path} {
   /{boot,efi}/EFI/{,**} rw,
   /{boot,efi}/vmlinuz-linux* rw,
   @{lib}/fwupd/efi/{,**} rw,
+  @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw,
 
   @{sys}/firmware/efi/efivars/db-@{uuid} rw,
   @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
@@ -32,6 +33,7 @@ profile sbctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
 
   /dev/pts/@{int} rw,
+  /dev/tpmrm@{int} rw,
 
   # File Inherit
   deny network inet stream,