From cf63b97c9b3b58234e35a1c6f20be235a95eedbc Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 16:38:50 +0200
Subject: [PATCH] Add avahi

---
 apparmor.d/groups/avahi/avahi-autoipd       | 27 ++++++++++++++++
 apparmor.d/groups/avahi/avahi-browse        | 32 +++++++++++++++++++
 apparmor.d/groups/avahi/avahi-daemon        | 23 ++++++++++++++
 apparmor.d/groups/avahi/avahi-publish       | 18 +++++++++++
 apparmor.d/groups/avahi/avahi-resolve       | 34 +++++++++++++++++++++
 apparmor.d/groups/avahi/avahi-set-host-name | 18 +++++++++++
 6 files changed, 152 insertions(+)
 create mode 100644 apparmor.d/groups/avahi/avahi-autoipd
 create mode 100644 apparmor.d/groups/avahi/avahi-browse
 create mode 100644 apparmor.d/groups/avahi/avahi-daemon
 create mode 100644 apparmor.d/groups/avahi/avahi-publish
 create mode 100644 apparmor.d/groups/avahi/avahi-resolve
 create mode 100644 apparmor.d/groups/avahi/avahi-set-host-name

diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
new file mode 100644
index 00000000..2a68007c
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
+profile avahi-autoipd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal receive set=kill,term,
+
+  @{exec_path} rm,
+  /etc/avahi/avahi-autoipd.action rix,
+
+  include if exists <local/avahi-autoipd>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
new file mode 100644
index 00000000..e46b439b
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
+profile avahi-browse @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
+
+  dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
+      interface=org.freedesktop.Avahi.ServiceTypeBrowser
+      member={ItemNew,CacheExhausted,AllForNow},
+
+  @{exec_path} rm,
+
+  /{usr/,}lib/x86_64-linux-gnu/avahi/service-types.db rwk,
+
+  include if exists <local/avahi-browse>
+}
diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon
new file mode 100644
index 00000000..439377d1
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-daemon
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-daemon
+profile avahi-daemon @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+
+  @{exec_path} rm,
+
+  /etc/avahi/** r,
+
+  include if exists <local/avahi-daemon>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish
new file mode 100644
index 00000000..16256223
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-publish
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
+profile avahi-publish @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-publish>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve
new file mode 100644
index 00000000..b4dca294
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-resolve
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
+profile avahi-resolve @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,AddressResolverNew},
+
+  dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Free,HostNameResolverNew,},
+
+  dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Failure,Found},
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-resolve>
+}
diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name
new file mode 100644
index 00000000..f970b63c
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-set-host-name
+profile avahi-set-host-name @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-set-host-name>
+}
+