apparmor.d/apparmor.d/groups/pacman/mkinitcpio

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/mkinitcpio
profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability mknod,
  capability sys_admin,
  capability sys_chroot,

  network unix stream,

  @{exec_path} rmix,

  @{bin}/{,ba}sh             rix,
  @{bin}/{m,g,}awk           rix,
  @{bin}/bsdtar              rix,
  @{bin}/cat                 rix,
  @{bin}/cp                  rix,
  @{bin}/dd                  rix,
  @{bin}/dirname             rix,
  @{bin}/fc-match            rix,
  @{bin}/find                rix,
  @{bin}/findmnt             rPx,
  @{bin}/fsck                rix,
  @{bin}/getent              rix,
  @{bin}/grep                rix,
  @{bin}/gzip                rix,
  @{bin}/hexdump             rix,
  @{bin}/install             rix,
  @{bin}/ldconfig            rix,
  @{bin}/ldd                 rix,
  @{bin}/ln                  rix,
  @{bin}/loadkeys            rix,
  @{bin}/mktemp              rix,
  @{bin}/mv                  rix,
  @{bin}/od                  rix,
  @{bin}/readlink            rix,
  @{bin}/realpath            rix,
  @{bin}/rm                  rix,
  @{bin}/sed                 rix,
  @{bin}/sort                rix,
  @{bin}/stat                rix,
  @{bin}/sync                rix,
  @{bin}/tee                 rix,
  @{bin}/touch               rix,
  @{bin}/tput                rix,
  @{bin}/uname               rix,
  @{bin}/xargs               rix,
  @{bin}/xz                  rix,
  @{bin}/zcat                rix,
  @{bin}/zstd                rix,

  @{bin}/{depmod,insmod}     rPx,
  @{bin}/{kmod,lsmod}        rPx,
  @{bin}/{modinfo,rmmod}     rPx,
  @{bin}/modprobe            rPx,
  @{bin}/plymouth            rPx,
  @{bin}/plymouth-set-default-theme rPx,

  @{lib}/initcpio/busybox    rix,
  @{lib}/ld-*.so*            rix,

  /etc/fstab r,
  /etc/initcpio/{,**} r,
  /etc/locale.conf r,
  /etc/lvm/lvm.conf r,
  /etc/mkinitcpio.conf r,
  /etc/mkinitcpio.d/{,**} r,
  /etc/mkinitcpio.conf.d/{,**} r,
  /etc/modprobe.d/{,*} r,
  /etc/plymouth/plymouthd.conf r,
  /etc/vconsole.conf r,

  /usr/share/kbd/{,**} r,
  /usr/share/plymouth/*.png r,
  /usr/share/plymouth/plymouthd.defaults r,
  /usr/share/plymouth/themes/{,**} r,
  /usr/share/terminfo/** r,

  # Can copy any program to the initframs
  /{usr/,}{local/,}{s,}bin/ r,
  @{bin}/[a-z0-9]* mr,
  @{lib}/ r,
  @{lib}/plymouth/plymouthd-* mr,
  @{lib}/systemd/{,**} mr,
  @{lib}/udev/[a-z0-9]* mr,

  # Manage /boot
  / r,
  /boot/ r,
  /boot/initramfs-*.img* rw,
  /boot/vmlinuz-* r,

  # Temp files
  owner @{run}/initramfs/{,**} rw,
  owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
  owner /tmp/mkinitcpio.@{rand6} rw,
  owner /tmp/mkinitcpio.@{rand6}/{,**} rw,

  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,

  owner @{PROC}/@{pid}/mountinfo r,

  /dev/tty@{int}* rw,

  # Inherit silencer
  deny @{HOME}/** r,
  deny /apparmor/.null rw,
  deny network inet stream,
  deny network inet6 stream,

  include if exists <local/mkinitcpio>
}