# apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include include include include include include #aa:only apt include include capability chown, capability dac_override, capability dac_read_search, capability fowner, capability kill, capability mknod, capability net_admin, capability setgid, capability setuid, capability sys_chroot, capability sys_nice, network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, #aa:dbus own bus=system name=org.freedesktop.PackageKit @{exec_path} mr, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{sh_path} rix, @{bin}/cp rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @{bin}/touch rix, @{bin}/appstreamcli rPx, @{bin}/arch-audit rPx, #aa:only arch @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @{lib}/apt/methods/* rPx, #aa:only apt @{lib}/cnf-update-db rPx, @{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, # Install/update packages / r, /*{,/} rw, /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, /usr/** rwlk -> /usr/**, /var/** rwlk -> /var/**, /tmp/apt-changelog-@{rand6}/ w, /tmp/apt-changelog-@{rand6}/*.changelog rw, owner @{tmp}/alpm_*/{,**} rw, owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw, owner @{tmp}/packagekit* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/systemd/users/@{uid} r, #aa:only opensuse @{run}/zypp.pid rwk, owner @{run}/zypp-rpm.pid rwk, owner @{run}/zypp/packages/ r, owner /dev/shm/AP_0x@{rand6}/{,**} rw, owner /dev/shm/ r, @{sys}/**/ r, @{sys}/devices/**/modalias r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, /dev/tty rw, profile gpg { include include capability dac_read_search, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, @{bin}/scdaemon rix, @{lib}/{,gnupg/}scdaemon rix, /etc/gcrypt/hwf.deny r, @{HOME}/@{XDG_GPG_DIR}/*.conf r, #aa:only arch owner /etc/pacman.d/gnupg/ r, owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**, #aa:only opensuse owner /var/tmp/zypp.*/*/ r, owner /var/tmp/zypp.*/*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, owner @{run}/user/@{uid}/gnupg/ r, owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } include if exists } # vim:syntax=apparmor