# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no

  abi <abi/4.0>,

  include <abstractions/bus-system>
  include <abstractions/consoles>

  ptrace read peer=@{p_systemd},

  unix bind type=stream addr=@@{udbus}/bus/systemctl/,

  @{bin}/systemctl mr,

  owner @{run}/systemd/private rw,

          @{PROC}/1/cgroup r,
          @{PROC}/1/environ r,
          @{PROC}/1/sched r,
          @{PROC}/cmdline r,
          @{PROC}/sys/fs/nr_open r,
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/sys/kernel/random/boot_id r,
    owner @{PROC}/@{pid}/cgroup r,
    owner @{PROC}/@{pid}/comm r,
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/stat r,

  include if exists <abstractions/app/systemctl.d>

# vim:syntax=apparmor