# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/systemd/systemd-oomd
profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/systemd-common>

  capability dac_override,
  capability kill,

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(name=org.freedesktop.DBus),

  dbus bind bus=system 
       name=org.freedesktop.oom[0-9],

  @{exec_path} mr,

  /etc/systemd/oomd.conf r,

  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/io.system.ManagedOOM rw,
        @{run}/systemd/notify rw,

  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,

  @{PROC}/pressure/{cpu,io,memory} r,

  include if exists <local/systemd-oomd>
}