From 51dfe0d35f0bbc8b5dc01e34c8ab8697033f6d24 Mon Sep 17 00:00:00 2001 From: barmogund Date: Sat, 9 Nov 2024 20:04:15 +0100 Subject: [PATCH] Add support for tlp (#585) --- apparmor.d/profiles-g-l/hdparm | 2 +- apparmor.d/profiles-s-z/tlp | 102 +++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/tlp diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 606540bb..a4fa3497 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/hdparm profile hdparm @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # re-writing sector *: BLKFLSBUF failed: Permission denied diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp new file mode 100644 index 00000000..af5f6706 --- /dev/null +++ b/apparmor.d/profiles-s-z/tlp @@ -0,0 +1,102 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# Copyright (C) 2024 Barmogund +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tlp +profile tlp @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + + capability dac_read_search, + capability net_admin, + capability sys_nice, + capability sys_rawio, + capability sys_tty_config, + + network netlink raw, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + @{bin}/logger rix, + @{sh_path} rix, + @{bin}/cp rix, + @{bin}/chmod rix, + @{bin}/flock rix, + @{bin}/sort rix, + @{bin}/head rix, + @{bin}/mktemp rix, + @{bin}/readlink rix, + @{bin}/tr rix, + @{bin}/ethtool rix, + @{bin}/grep rix, + @{bin}/touch rix, + @{bin}/cat rix, + @{bin}/rm rix, + @{bin}/id rPx, + @{bin}/iw rPx, + @{bin}/hdparm rPx, + @{bin}/uname rpx, + @{bin}/udevadm rCx -> udevadm, + /usr/share/tlp/tlp-readconfs rix, + + / r, + + /etc/tlp.d/ r, + /etc/tlp.d/** rw, + /etc/tlp.conf rw, + + /usr/share/tlp/** r, + + /var/lib/power-profiles-daemon/state.ini rw, + + @{run}/udev/data/+platform:* r, + owner @{run}/tlp/* rw, + owner @{run}/tlp/lock_tlp rwk, + + @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/module/pcie_aspm/parameters/policy rw, + @{sys}/module/snd_hda_intel/parameters/power_save rw, + @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, + @{sys}/firmware/acpi/platform_profile* rw, + @{sys}/firmware/acpi/pm_profile* rw, + + owner @{PROC}/sys/vm/laptop_mode rw, + owner @{PROC}/sys/vm/dirty_writeback_centisecs rw, + owner @{PROC}/sys/vm/dirty_expire_centisecs rw, + owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, + owner @{PROC}/sys/kernel/nmi_watchdog rw, + + /dev/disk/by-id/ r, + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + } + + profile udevadm { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor