# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include capability syslog, capability chown, capability fowner, capability fsetid, @{exec_path} r, @{sh_path} rix, @{bin}/ r, @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/bzip2 rix, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @{bin}/ln rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, @{lib}/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/hooks/** rPx, /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, /etc/xattr.conf r, # For shell pwd / r, /etc/ r, /root/ r, /etc/modprobe.d/{,*.conf} r, @{efi}/ r, owner @{efi}/config-* r, owner @{efi}/initrd.img-*.new rw, owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, /var/tmp/ r, /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, /var/tmp/mkinitramfs_@{rand6} rw, /var/tmp/mkinitramfs_@{rand6}/ rw, /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, /var/tmp/mkinitramfs-@{rand6} rw, /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, profile ldd { include include include @{bin}/ldd mr, @{lib}/@{multiarch}/ld-linux-*so* mr, @{lib}/ld-linux.so* mr, @{sh_path} rix, @{bin}/kmod mr, @{lib}/initramfs-tools/bin/* mr, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, include if exists } profile ldconfig { include include capability sys_chroot, @{sbin}/ldconfig mr, @{sh_path} rix, @{sbin}/ldconfig.real rix, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } profile find { include include @{bin}/find mr, # pwd dir / r, /etc/ r, /root/ r, /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists } profile kmod { include include owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, @{sys}/module/compression r, include if exists } include if exists } # vim:syntax=apparmor