# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/mkinitcpio profile mkinitcpio @{exec_path} flags=(attach_disconnected) { include include include include capability dac_read_search, capability mknod, capability sys_admin, capability sys_chroot, network unix stream, @{exec_path} rmix, @{sh_path} rix, @{coreutils_path} rix, @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, @{bin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/tput rix, @{bin}/xz rix, @{bin}/zcat rix, @{bin}/zstd rix, @{bin}/{depmod,insmod} rPx, @{bin}/{kmod,lsmod} rPx, @{bin}/{modinfo,rmmod} rPx, @{bin}/modprobe rPx, @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{lib}/initcpio/busybox rix, @{lib}/ld-*.so* rix, /etc/fstab r, /etc/initcpio/{,**} r, /etc/locale.conf r, /etc/lvm/lvm.conf r, /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, /etc/modprobe.d/{,*} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, /usr/share/kbd/{,**} r, /usr/share/plymouth/*.png r, /usr/share/plymouth/plymouthd.defaults r, /usr/share/plymouth/themes/{,**} r, /usr/share/terminfo/** r, # Can copy any program to the initframs /{usr/,}{local/,}{s,}bin/ r, @{bin}/* mr, @{bin}/*/ r, @{lib}/ r, @{lib}/plymouth/plymouthd-* mr, @{lib}/systemd/{,**} mr, @{lib}/udev/* mr, # Manage /boot / r, /boot/ r, /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, # Temp files owner @{run}/initramfs/{,**} rw, owner @{run}/mkinitcpio.@{rand6}/{,**} rwl, owner @{tmp}/mkinitcpio.@{rand6} rw, owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl, owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl, @{sys}/class/block/ r, @{sys}/devices/{,**} r, owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int}* rw, # Inherit silencer deny @{HOME}/** r, deny network inet stream, deny network inet6 stream, include if exists }