# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

  capability dac_override,
  capability dac_read_search,
  capability linux_immutable,
  capability mknod,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,
  capability syslog,

  network netlink raw,

  @{exec_path} mr,

  /{usr/,}bin/gpg         rCx -> gpg,
  /{usr/,}bin/gpgconf     rCx -> gpg,
  /{usr/,}bin/gpgsm       rCx -> gpg,

  /etc/pki/fwupd/{,**} r,
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/fwupd/{,**} r,
  /usr/share/fwupd/{,**} r,

  /var/cache/fwupd/{,**} rw,
  /var/lib/fwupd/{,**} rw,
  /var/lib/fwupd/pending.db rwk,

  /boot/{,**} r,
  /boot/EFI/arch/fwupdx[0-9]*.efi rw,
  /boot/EFI/arch/fw/fwupd-*.cap{,.*} rw,

  # In order to get to this file, the attach_disconnected flag has to be set
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,

  /usr/share/mime/mime.cache r,

  @{PROC}/modules r,
  @{PROC}/cmdline r,
  @{PROC}/swaps r,
  @{PROC}/sys/kernel/tainted r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/@{pids}/fd/ r,

  /dev/mem r,
  /dev/mei[0-9]* rw,
  /dev/tpm[0-9] rw,
  /dev/drm_dp_aux[0-9]* rw,
  /dev/sd[a-z] r,
  /dev/bus/usb/ r,
  /dev/bus/usb/[0-9]*/[0-9]* rw,
  /dev/wmi/* r,

  @{sys}/**/ r,
  @{sys}/devices/** r,

  @{sys}/firmware/acpi/** r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/efi/** r,
  @{sys}/firmware/efi/efivars/BootNext-* rw,
  @{sys}/firmware/efi/efivars/fwupd-* rw,
  @{sys}/kernel/security/lockdown r,
  @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
  @{sys}/power/mem_sleep r,

  /{var,}run/udev/data/* r,
  /{var,}run/motd.d/fwupd/{,**} rw,

  @{run}/systemd/inhibit/[0-9]*.ref rw,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  profile gpg flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    /{usr/,}bin/gpg        mr,
    /{usr/,}bin/gpgconf    mr,
    /{usr/,}bin/gpgsm      mr,
    /{usr/,}bin/gpg-agent  mr,

    owner /var/lib/fwupd/gnupg/ rw,
    owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,

  }

  include if exists <local/fwupd>
}