# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Profile for generic systemd unit services. Only used by service without profile.
# It does not specify an attachment path because it is intended to be used only
# via "Px -> systemd-service" exec transitions from the systemd profile.

abi <abi/3.0>,

include <tunables/global>

profile systemd-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

  capability sys_admin,

  @{bin}/systemctl     rix,
  @{coreutils_path}    rix,
  @{shells_path}      rmix,
  @{bin}/ldconfig      rix,

  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,

  @{lib}/ r,

  /var/cache/ldconfig/{,**} rw,

  /boot/grub/grubenv rw,
  /boot/grub/ w,

  /var/log/ r,
  /var/log/dmesg rw,
  /var/log/dmesg.* rwl -> /var/log/dmesg,

  # snapd.system-shutdown.service
  @{run}/initramfs/shutdown rw,
  @{run}/initramfs/ rw,

  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,

  include if exists <usr/systemd-service.d>
  include if exists <local/systemd-service>
}