diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9ed14a1d..220cbb54 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -39,6 +39,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{coreutils_path} rix, @{bin}/*-print-pci-ids rix, @{bin}/alsactl rPUx, + @{bin}/ddcutil rPx, @{bin}/dmsetup rPUx, @{bin}/ethtool rix, @{bin}/issue-generator rPx, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil new file mode 100644 index 00000000..d8305f31 --- /dev/null +++ b/apparmor.d/profiles-a-f/ddcutil @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ddcutil +profile ddcutil @{exec_path} { + include + include + include + include + + capability sys_admin, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/find rix, + @{bin}/sed rix, + @{bin}/xargs rix, + @{bin}/grep rix, + + owner @{user_cache_dirs}/ddcutil/ rw, + owner @{user_cache_dirs}/ddcutil/** rwlk, + + @{run}/udev/data/* r, + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/bus/** r, + @{sys}/class/ r, + @{sys}/class/** r, + @{sys}/devices/ r, + @{sys}/devices/** r, + + owner @{PROC}/@{pid}/fd/ r, + + /dev/ r, + /dev/i2c-@{int} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 814123c8..1bcf1e7d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -84,6 +84,7 @@ cups-notifier-mailto complain cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain +ddcutil complain DiscoverNotifier complain dkms attach_disconnected,complain dockerd attach_disconnected,complain