# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/hw-probe profile hw-probe @{exec_path} { include include capability sys_admin, network inet dgram, network inet6 dgram, @{exec_path} rm, @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, @{bin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/md5sum rix, @{bin}/pwd rix, @{bin}/sleep rix, @{bin}/tar rix, @{bin}/uname rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/dpkg rPx -> child-dpkg, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/df rPx, @{bin}/dkms rPx, @{bin}/dmesg rPx, @{bin}/dmidecode rPx, @{bin}/edid-decode rPx, @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, @{bin}/hdparm rPx, @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, @{bin}/inxi rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/rfkill rPx, @{bin}/sensors rPx, @{bin}/smartctl rPx, @{bin}/upower rPx, @{bin}/uptime rPx, @{bin}/usb-devices rPx, @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, @{bin}/systemctl rPx -> child-systemctl, @{bin}/curl rCx -> curl, @{bin}/ethtool rCx -> netconfig, @{bin}/find rCx -> find, @{bin}/ifconfig rCx -> netconfig, @{bin}/iw rCx -> netconfig, @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, /usr/share/X11/xorg.conf.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r, /etc/X11/xorg.conf.d/{,*.conf} r, /var/log/Xorg.[0-9].log{,.old} r, owner /root/HW_PROBE/{,**} rw, owner /tmp/*/ rw, owner /tmp/*/cpu_perf rw, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/**/power_supply/*/uevent r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, @{PROC}/bus/input/devices r, @{PROC}/interrupts r, @{PROC}/ioports r, @{PROC}/scsi/scsi r, profile find { include include capability dac_read_search, @{bin}/find mr, /root/ r, /dev/{,**} r, include if exists } profile journalctl { include @{bin}/journalctl mr, /var/lib/dbus/machine-id r, /etc/machine-id r, @{run}/log/ rw, /{run,var}/log/journal/ rw, /{run,var}/log/journal/@{md5}/ rw, /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw, /{run,var}/log/journal/@{md5}/system.journal* rw, /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw, owner @{PROC}/@{pid}/stat r, include if exists } profile killall { include capability sys_ptrace, ptrace (read), signal (send) set=(int, term, kill), @{bin}/killall mr, # The /proc/ dir is needed to avoid the following error: # /proc: Permission denied @{PROC}/ r, @{PROC}/@{pids}/stat r, include if exists } profile udevadm { include @{bin}/udevadm mr, /etc/udev/udev.conf r, @{run}/udev/data/* r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/class/ r, @{sys}/class/*/ r, @{sys}/devices/**/uevent r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/stat r, include if exists } profile kmod { include @{bin}/kmod mr, @{sys}/module/*/ r, @{sys}/module/*/{coresize,refcnt} r, @{sys}/module/*/holders/ r, @{PROC}/cmdline r, @{PROC}/modules r, include if exists } profile netconfig { include # Not needed deny capability net_admin, deny capability net_raw, network inet dgram, network inet6 dgram, network ipx dgram, network ax25 dgram, network appletalk dgram, network netlink raw, @{bin}/iw mr, @{bin}/ifconfig mr, @{bin}/iwconfig mr, @{bin}/ethtool mr, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, include if exists } include if exists }