# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability mac_admin,

  @{exec_path} mr,

  @{bin}/{,ba,da}sh           rix,
  @{bin}/{,e}grep             rix,
  @{bin}/aa-status            rPx,
  @{bin}/apparmor_parser      rPx,
  @{bin}/getconf              rix,
  @{bin}/ls                   rix,
  @{bin}/sed                  rix,
  @{bin}/sort                 rix,
  @{bin}/systemd-detect-virt  rPx,
  @{bin}/xargs                rix,

  @{lib}/apparmor/rc.apparmor.functions r,

  /etc/apparmor.d/ r,

  @{sys}/fs/cgroup/systemd/ r,
  @{sys}/kernel/security/apparmor/{,**} r,
  @{sys}/kernel/security/apparmor/.remove rw,
  @{sys}/module/apparmor/ r,

  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/maps r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/mounts r,

  /dev/tty rw,

  include if exists <local/apparmor.systemd>
}