# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/plymouthd
profile plymouthd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dri-common>

  capability sys_admin,
  capability sys_chroot,
  capability sys_tty_config,

  network netlink raw,

  signal (send) peer=unconfined,
  signal (send) set=(rtmin+23) peer=systemd-shutdown,

  ptrace (read) peer=plymouth,

  unix type=stream addr="@/org/freedesktop/plymouthd",
  unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),

  @{exec_path} mr,

  /usr/share/plymouth/{,**} r,
  /usr/share/pixmaps/distribution-logos/* r,

  /etc/default/keyboard r,
  /etc/plymouth/plymouthd.conf r,
  /etc/vconsole.conf r,

  /var/lib/plymouth/{,**} rw,

  @{run}/plymouth/{,**} rw,

  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*

  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/graphics/ r,
  @{sys}/devices/@{pci}/{,uevent,vendor,device} r,
  @{sys}/devices/virtual/graphics/fbcon/uevent r,
  @{sys}/devices/virtual/tty/console/active r,
  @{sys}/firmware/acpi/bgrt/{,*} r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

        @{PROC}/1/cmdline r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/printk r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/stat r,

  /dev/ptmx rw,
  /dev/tty@{int} rw,
  /dev/ttyS@{int} rw,

  include if exists <local/plymouthd>
}