# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/hardinfo profile hardinfo @{exec_path} { include include include include include include include # This is needed to display some content of devices -> resources capability sys_admin, # This is for benchmarks capability sys_nice, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{exec_path} mrix, @{sh_path} rix, @{bin}/gdb rix, @{bin}/iconv rix, @{bin}/last rix, @{bin}/ldd rix, @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, @{python_path} rix, @{sbin}/route rix, @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, /usr/share/hardinfo/{,**} r, /etc/fstab r, /etc/exports r, /etc/samba/smb.conf r, /etc/gdb/gdbinit.d/ r, /var/log/wtmp r, owner @{HOME}/.hardinfo/ rw, owner @{tmp}/#@{int} rw, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @{sys}/devices/system/cpu/** r, @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, @{sys}/devices/@{pci}/eeprom r, @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, @{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/wireless r, @{PROC}/@{pids}/loginuid r, @{PROC}/asound/cards r, @{PROC}/bus/input/devices r, @{PROC}/dma r, @{PROC}/iomem r, @{PROC}/ioports r, @{PROC}/loadavg r, @{PROC}/scsi/scsi r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner /dev/tty@{int} rw, deny /usr/share/gdb/python/** w, profile ccache { include @{bin}/ccache mr, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, /etc/debian_version r, include if exists } profile javac { include include @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, /usr/share/java/*.jar r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, @{sys}/fs/cgroup/{,**} r, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{pid} rw, include if exists } profile kmod { include include @{sys}/module/** r, @{PROC}/ioports r, include if exists } include if exists } # vim:syntax=apparmor