# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/systemd-tty-ask-password-agent
profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/common/systemd>

  capability dac_override,
  capability net_admin,
  capability sys_resource,

  signal (receive) set=(term cont) peer=*//systemctl,
  signal (receive) set=(term cont) peer=default,
  signal (receive) set=(term cont) peer=logrotate,

  @{exec_path} mrix,

  @{run}/systemd/ask-password-block/{,*} rw,
  @{run}/systemd/ask-password/{,*} rw,
  @{run}/utmp rk,

  @{PROC}/@{pids}/stat r,
  
  @{sys}/devices/virtual/tty/console/active r,
  @{sys}/devices/virtual/tty/tty@{int}/active r,

  /dev/tty@{int} rw,

  include if exists <local/systemd-tty-ask-password-agent>
}

# vim:syntax=apparmor