apparmor.d/apparmor.d/groups/pacman/mkinitcpio

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/mkinitcpio
profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability mknod,
  capability sys_admin,
  capability sys_chroot,

  unix (receive) type=stream,

  @{exec_path} rmix,

  /{usr/,}bin/{,ba}sh             rix,
  /{usr/,}bin/bsdtar              rix,
  /{usr/,}bin/cat                 rix,
  /{usr/,}bin/cp                  rix,
  /{usr/,}bin/dd                  rix,
  /{usr/,}bin/find                rix,
  /{usr/,}bin/findmnt             rix,
  /{usr/,}bin/fsck                rix,
  /{usr/,}bin/gawk                rix,
  /{usr/,}bin/grep                rix,
  /{usr/,}bin/hexdump             rix,
  /{usr/,}bin/install             rix,
  /{usr/,}bin/ldconfig            rix,
  /{usr/,}bin/ldd                 rix,
  /{usr/,}bin/ln                  rix,
  /{usr/,}bin/loadkeys            rix,
  /{usr/,}bin/mktemp              rix,
  /{usr/,}bin/readlink            rix,
  /{usr/,}bin/rm                  rix,
  /{usr/,}bin/sed                 rix,
  /{usr/,}bin/sort                rix,
  /{usr/,}bin/stat                rix,
  /{usr/,}bin/tee                 rix,
  /{usr/,}bin/touch               rix,
  /{usr/,}bin/tput                rix,
  /{usr/,}bin/uname               rix,
  /{usr/,}bin/xz                  rix,
  /{usr/,}bin/zstd                rix,

  /{usr/,}bin/{depmod,insmod}     rPx,
  /{usr/,}bin/{kmod,lsmod}        rPx,
  /{usr/,}bin/{modinfo,rmmod}     rPx,
  /{usr/,}bin/modprobe            rPx,
  /{usr/,}bin/plymouth            rPx,
  /{usr/,}bin/plymouth-set-default-theme rPx,

  /{usr/,}lib/initcpio/busybox    rix,
  /{usr/,}lib{,32,64}/ld-*.so*    rix,

  /etc/fstab r,
  /etc/locale.conf r,
  /etc/lvm/lvm.conf r,
  /etc/mkinitcpio.conf r,
  /etc/mkinitcpio.d/{,**} r,
  /etc/modprobe.d/{,*} r,
  /etc/plymouth/plymouthd.conf r,
  /etc/vconsole.conf r,

  /usr/share/kbd/keymaps/{,**} r,
  /usr/share/plymouth/*.png r,
  /usr/share/plymouth/plymouthd.defaults r,
  /usr/share/plymouth/themes/{,**} r,
  /usr/share/terminfo/x/xterm-256color r,

  # Can copy any program to the initframs
  /{usr/,}bin/ r,
  /{usr/,}bin/[a-z0-9]* rm,
  /{usr/,}lib/plymouth/plymouthd-* rm,
  /{usr/,}lib/systemd/systemd-* rm,
  /{usr/,}lib/udev/[a-z0-9]* rm,

  # Manage /boot
  / r,
  /boot/initramfs-*.img rw,
  /boot/vmlinuz-* r,

  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,

  # Temp files
  owner @{run}/initramfs/{,**} rw,
  owner @{run}/mkinitcpio.*/{,**} rw,
  owner /tmp/mkinitcpio.*/{,**} rw,

  owner @{PROC}/@{pid}/mountinfo r,

  # Inherit silencer
  deny @{HOME}/** r,
  deny network inet6 stream,
  deny network inet stream,
  deny /apparmor/.null rw,

  include if exists <local/mkinitcpio>
}