# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include include include include include include include include include include capability dac_override, capability dac_read_search, capability linux_immutable, capability mknod, capability net_admin, capability sys_admin, capability sys_nice, capability sys_rawio, capability syslog, network inet dgram, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded peer=(name=@{busname}, label=bluetoothd), @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @{efi}/{,**} r, @{efi}/EFI/*/.goutputstream-@{rand6} rw, @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/motd.d/ r, @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, @{run}/udev/data/+*:* r, # Identifies all subsystems @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/modules r, @{PROC}/swaps r, @{PROC}/sys/kernel/tainted r, /dev/bus/usb/ r, /dev/bus/usb/@{int}/@{int} rw, /dev/cpu/@{int}/msr rw, /dev/dri/card@{int} rw, /dev/drm_dp_aux@{int} rw, /dev/gpiochip@{int} r, /dev/hidraw@{int} rw, /dev/ipmi@{int} rwk, /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { include include capability dac_read_search, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, @{lib}/{,gnupg/}scdaemon rix, owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } include if exists } # vim:syntax=apparmor