# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,fwupd/}fwupd
profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.bluez>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.UDisks2>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/consoles>
  include <abstractions/disks-write>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>

  capability dac_override,
  capability dac_read_search,
  capability linux_immutable,
  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,
  capability syslog,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

  #aa:dbus own bus=system name=org.freedesktop.fwupd path=/
  #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd

  @{exec_path} mr,

  @{lib}/fwupd/fwupd-detect-cet rix,

  @{bin}/gpg{,2}     rCx -> gpg,
  @{bin}/gpgconf     rCx -> gpg,
  @{bin}/gpgsm       rCx -> gpg,

  /usr/share/fwupd/{,**} r,
  /usr/share/hwdata/* r,
  /usr/share/mime/mime.cache r,

  /etc/fwupd/{,**} rw,
  /etc/lsb-release r,
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  /boot/{,**} r,
  /boot/EFI/*/.goutputstream-@{rand6} rw,
  /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
  /boot/EFI/*/fwupdx@{int}.efi rw,
  @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,

        /var/lib/flatpak/exports/share/mime/mime.cache r,
        /var/tmp/etilqs_@{sqlhex} rw,
  owner /var/cache/fwupd/ rw,
  owner /var/cache/fwupd/** rwk,
  owner /var/lib/fwupd/ rw,
  owner /var/lib/fwupd/** rwk,

  # In order to get to this file, the attach_disconnected flag has to be set
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
  owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,

  @{sys}/**/ r,
  @{sys}/devices/** r,

  @{sys}/firmware/acpi/** r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/efi/** r,
  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
  @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
  @{sys}/firmware/efi/efivars/fwupd-* rw,
  @{sys}/kernel/security/lockdown r,
  @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
  @{sys}/**/uevent r,
  @{sys}/power/mem_sleep r,

  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/motd.d/ r,
  @{run}/motd.d/@{int}-fwupd* rw,
  @{run}/motd.d/fwupd/{,**} rw,
  @{run}/mount/utab r,
  @{run}/udev/data/* r,

  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/1/cgroup r,
  @{PROC}/cmdline r,
  @{PROC}/modules r,
  @{PROC}/swaps r,
  @{PROC}/sys/kernel/tainted r,

  /dev/bus/usb/ r,
  /dev/bus/usb/@{int}/@{int} rw,
  /dev/cpu/@{int}/msr rw,
  /dev/dri/card@{int} rw,
  /dev/drm_dp_aux@{int} rw,
  /dev/gpiochip@{int} r,
  /dev/hidraw@{int} rw,
  /dev/ipmi@{int} rwk,
  /dev/mei@{int} rw,
  /dev/mem r,
  /dev/mtd@{int} rw,
  /dev/tpm@{int} rw,
  /dev/tpmrm@{int} rw,
  /dev/wmi/* r,

  profile gpg flags=(attach_disconnected,complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    @{bin}/gpg{,2}    mr,
    @{bin}/gpgconf    mr,
    @{bin}/gpgsm      mr,

    @{bin}/gpg-agent          rix,
    @{lib}/{,gnupg/}scdaemon  rix,

    owner /var/lib/fwupd/gnupg/ rw,
    owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,

    include if exists <local/fwupd_gpg>
  }

  include if exists <local/fwupd>
}

# vim:syntax=apparmor