# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

profile acpi-powerbtn flags=(attach_disconnected) {
  include <abstractions/base>

  /etc/acpi/powerbtn-acpi-support.sh r,

  /{usr/,}{s,}bin/killall5 rix,
  /{usr/,}{s,}bin/shutdown rix,
  /{usr/,}bin/{ba,da,}sh   rix,
  /{usr/,}bin/{e,}grep     rix,
  /{usr/,}bin/dbus-send    rix,
  /{usr/,}bin/pgrep        rix,
  /{usr/,}bin/pinky        rix,
  /{usr/,}bin/sed          rix,
  /etc/acpi/powerbtn.sh    rix,

  /{usr/,}bin/systemctl    rPx -> child-systemctl,
  /{usr/,}bin/ps           rPx,

  /{usr/,}bin/fgconsole rCx,

  /usr/share/acpi-support/** r,

  @{PROC} r,
  @{PROC}/uptime r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/stat r,

  deny / r,

  profile fgconsole {
    include <abstractions/base>

    capability sys_tty_config,

    /{usr/,}bin/fgconsole r,

          /dev/tty       rw,
    owner /dev/tty[0-9]* rw,
  }

  include if exists <local/acpi-powerbtn>
}