apparmor.d/apparmor.d/profiles-a-f/fwupd

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

  capability dac_override,
  capability dac_read_search,
  capability linux_immutable,
  capability mknod,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,
  capability syslog,

  network netlink raw,

  @{exec_path} mr,

  /{usr/,}bin/gpg         rCx -> gpg,
  /{usr/,}bin/gpgconf     rCx -> gpg,
  /{usr/,}bin/gpgsm       rCx -> gpg,

  /etc/pki/fwupd/{,**} r,
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/fwupd/{,**} r,
  /usr/share/fwupd/{,**} r,

  /var/cache/fwupd/{,**} rw,
  /var/lib/fwupd/{,**} rw,
  /var/lib/fwupd/pending.db rwk,

  /boot/{,**} r,
  /boot/EFI/arch/fwupdx[0-9]*.efi rw,
  /boot/EFI/arch/fw/fwupd-*.cap{,.*} rw,

  /usr/share/mime/mime.cache r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  # In order to get to this file, the attach_disconnected flag has to be set
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,

  @{sys}/**/ r,
  @{sys}/devices/** r,

  @{sys}/firmware/acpi/** r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/efi/** r,
  @{sys}/firmware/efi/efivars/BootNext-* rw,
  @{sys}/firmware/efi/efivars/fwupd-* rw,
  @{sys}/kernel/security/lockdown r,
  @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
  @{sys}/power/mem_sleep r,

  @{run}/motd.d/ r,
  @{run}/motd.d/[0-9]*-fwupd* rw,
  @{run}/motd.d/fwupd/{,**} rw,
  @{run}/mount/utab r,
  @{run}/systemd/inhibit/[0-9]*.ref rw,
  @{run}/udev/data/* r,

  @{PROC}/@{pids}/fd/ r,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/1/cgroup r,
  @{PROC}/cmdline r,
  @{PROC}/modules r,
  @{PROC}/swaps r,
  @{PROC}/sys/kernel/tainted r,

  /dev/bus/usb/ r,
  /dev/bus/usb/[0-9]*/[0-9]* rw,
  /dev/drm_dp_aux[0-9]* rw,
  /dev/mei[0-9]* rw,
  /dev/mem r,
  /dev/sd[a-z]* r,
  /dev/tpm[0-9]* rw,
  /dev/wmi/* r,

  profile gpg flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    /{usr/,}bin/gpg        mr,
    /{usr/,}bin/gpgconf    mr,
    /{usr/,}bin/gpgsm      mr,
    /{usr/,}bin/gpg-agent  mr,

    owner /var/lib/fwupd/gnupg/ rw,
    owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,

  }

  include if exists <local/fwupd>
}
Rewrite Copyright header, use SPDX style. 2021-04-01 17:17:47 +02:00			`# apparmor.d - Full set of apparmor profiles`
Profiles update. 2022-03-04 22:30:34 +01:00			`# Copyright (C) 2020-2022 Mikhail Morfikov`
			`# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>`
Rewrite Copyright header, use SPDX style. 2021-04-01 17:17:47 +02:00			`# SPDX-License-Identifier: GPL-2.0-only`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`abi <abi/3.0>,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <tunables/global>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd`
			`profile fwupd @{exec_path} flags=(complain,attach_disconnected) {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
Update profiles. 2021-08-14 13:59:24 +02:00			`include <abstractions/disks-read>`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/nameservice-strict>`
Update profiles. 2021-08-14 13:59:24 +02:00			`include <abstractions/openssl>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`capability dac_override,`
Update profiles. 2021-08-14 13:59:24 +02:00			`capability dac_read_search,`
			`capability linux_immutable,`
			`capability mknod,`
			`capability sys_admin,`
			`capability sys_nice,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`capability sys_rawio,`
			`capability syslog,`

Update profiles. 2021-08-14 13:59:24 +02:00			`network netlink raw,`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`@{exec_path} mr,`

			`/{usr/,}bin/gpg rCx -> gpg,`
			`/{usr/,}bin/gpgconf rCx -> gpg,`
			`/{usr/,}bin/gpgsm rCx -> gpg,`

Profiles update. 2021-10-22 16:01:43 +02:00			`/etc/pki/fwupd/{,**} r,`
			`/etc/pki/fwupd-metadata/{,**} r,`
			`/etc/fwupd/{,**} r,`
			`/usr/share/fwupd/{,**} r,`
Update profiles. 2021-08-14 13:59:24 +02:00
Profiles update. 2021-10-22 16:01:43 +02:00			`/var/cache/fwupd/{,**} rw,`
Update profiles. 2021-08-14 13:59:24 +02:00			`/var/lib/fwupd/{,**} rw,`
			`/var/lib/fwupd/pending.db rwk,`

			`/boot/{,**} r,`
			`/boot/EFI/arch/fwupdx[0-9]*.efi rw,`
			`/boot/EFI/arch/fw/fwupd-.cap{,.} rw,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`/usr/share/mime/mime.cache r,`

Profiles update. 2022-03-04 22:30:34 +01:00			`/etc/machine-id r,`
			`/var/lib/dbus/machine-id r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
Profiles update. 2022-03-04 22:30:34 +01:00			`# In order to get to this file, the attach_disconnected flag has to be set`
			`owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{sys}/**/ r,`
			`@{sys}/devices/** r,`

Update profiles. 2021-08-14 13:59:24 +02:00			`@{sys}/firmware/acpi/** r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`@{sys}/firmware/dmi/tables/DMI r,`
Update profiles. 2021-08-14 13:59:24 +02:00			`@{sys}/firmware/dmi/tables/smbios_entry_point r,`
			`@{sys}/firmware/efi/** r,`
			`@{sys}/firmware/efi/efivars/BootNext-* rw,`
Profiles update. 2021-10-07 15:50:46 +02:00			`@{sys}/firmware/efi/efivars/fwupd-* rw,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`@{sys}/kernel/security/lockdown r,`
Update profiles. 2021-08-14 13:59:24 +02:00			`@{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,`
			`@{sys}/power/mem_sleep r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
Profiles update. 2022-03-04 22:30:34 +01:00			`@{run}/motd.d/ r,`
			`@{run}/motd.d/[0-9]-fwupd rw,`
typos 2022-01-18 00:45:11 +01:00			`@{run}/motd.d/fwupd/{,**} rw,`
Profiles update. 2022-03-04 22:30:34 +01:00			`@{run}/mount/utab r,`
Update profiles. 2021-08-14 13:59:24 +02:00			`@{run}/systemd/inhibit/[0-9]*.ref rw,`
Profiles update. 2022-03-04 22:30:34 +01:00			`@{run}/udev/data/* r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
Profiles update. 2022-03-04 22:30:34 +01:00			`@{PROC}/@{pids}/fd/ r,`
			`@{PROC}/@{pids}/mountinfo r,`
			`@{PROC}/@{pids}/mounts r,`
			`@{PROC}/1/cgroup r,`
			`@{PROC}/cmdline r,`
			`@{PROC}/modules r,`
			`@{PROC}/swaps r,`
			`@{PROC}/sys/kernel/tainted r,`

			`/dev/bus/usb/ r,`
			`/dev/bus/usb/[0-9]/[0-9] rw,`
			`/dev/drm_dp_aux[0-9]* rw,`
			`/dev/mei[0-9]* rw,`
			`/dev/mem r,`
			`/dev/sd[a-z]* r,`
			`/dev/tpm[0-9]* rw,`
			`/dev/wmi/* r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
Update profiles. 2021-08-14 13:59:24 +02:00			`profile gpg flags=(complain) {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
Update profiles. 2021-08-14 13:59:24 +02:00			`include <abstractions/nameservice-strict>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
Profiles update. 2021-10-07 15:50:46 +02:00			`capability dac_read_search,`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`/{usr/,}bin/gpg mr,`
			`/{usr/,}bin/gpgconf mr,`
			`/{usr/,}bin/gpgsm mr,`
Update profiles. 2021-08-14 13:59:24 +02:00			`/{usr/,}bin/gpg-agent mr,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`owner /var/lib/fwupd/gnupg/ rw,`
			`owner /var/lib/fwupd/gnupg/ rwkl -> /var/lib/fwupd/gnupg/,`

			`}`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include if exists <local/fwupd>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`}`