# apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # TODO: rethink how the scripts should be managed abi , include @{exec_path} = @{lib}/{,NetworkManager/}nm-dispatcher profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { include include include capability net_admin, capability sys_nice, capability sys_ptrace, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName}, dbus receive bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher, dbus bind bus=system name=org.freedesktop.nm_dispatcher, @{exec_path} mr, @{bin}/{,ba,da}sh rix, @{bin}/basename rix, @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rix, @{bin}/systemd-cat rPx, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @{lib}/NetworkManager/dispatcher.d/ r, @{lib}/NetworkManager/dispatcher.d/** rix, /etc/NetworkManager/dispatcher.d/ r, /etc/NetworkManager/dispatcher.d/** rix, /usr/share/tlp/{,**} rw, /etc/sysconfig/network/config r, /etc/fstab r, @{run}/systemd/notify rw, @{run}/tlp/{,*} rw, @{run}/chrony-dhcp/ rw, @{sys}/class/net/ r, owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, profile run-parts { include /{usr/,}bin/run-parts mr, /etc/network/if-*.d/ r, /etc/network/if-*.d/* rPUx, include if exists } include if exists }