# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/check-bios-nx
profile check-bios-nx @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

  # To remove the following errors:
  #  /usr/sbin/check-bios-nx: 19: cannot create /dev/stderr: Permission denied
  capability dac_override,

  @{exec_path} r,
  @{sh_path}        rix,

  @{bin}/uname      rix,
  @{bin}/{,e}grep   rix,
  @{bin}/getopt     rix,

  @{bin}/kmod       rCx -> kmod,

  @{bin}/rdmsr  rPx,

  owner @{PROC}/@{pid}/fd/@{int} rw,

  profile kmod {
    include <abstractions/base>
    include <abstractions/app/kmod>

    @{lib}/modules/*/modules.* r,

    include if exists <local/check-bios-nx_kmod>
  }

  include if exists <local/check-bios-nx>
}

# vim:syntax=apparmor