From 16dddf16dca1aedaa6f630fbf633c2245cc65c2b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 12 Dec 2021 12:36:17 +0000
Subject: [PATCH] Add sysctl profile.

---
 apparmor.d/profiles-s-z/sysctl | 28 ++++++++++++++++++++++++++++
 dists/flags/main.flags         |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/sysctl

diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl
new file mode 100644
index 00000000..b2fb3032
--- /dev/null
+++ b/apparmor.d/profiles-s-z/sysctl
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/sysctl
+profile sysctl @{exec_path} {
+  include <abstractions/base>
+
+  capability mac_admin,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_resource,
+
+  @{exec_path} mr,
+
+  @{PROC}/sys/ r,
+  @{PROC}/sys/** rw,
+
+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
+  include if exists <local/sysctl>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d65d6a2b..16c07e07 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -114,6 +114,7 @@ sudo complain
 swaplabel complain
 swapoff complain
 swapon complain
+sysctl complain
 systemd-analyze complain
 systemd-ask-password complain
 systemd-binfmt complain