# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}{s,}bin/apparmor_parser
profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

  capability mac_admin,

  @{exec_path} mr,

  /etc/apparmor/{,**} r,
  /etc/apparmor.d/{,**} r,
  /etc/apparmor.d/cache.d/{,**} rw,
  /etc/apparmor/earlypolicy/{,**} rw,

  /usr/share/apparmor-features/{,**} r,
  /usr/share/apparmor/{,**} r,

  owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r,
  owner /snap/core[0-9]*/[0-9]*/etc/apparmor/* r,
  owner /var/cache/apparmor/{,**} rw,
  owner /var/lib/docker/tmp/docker-default[0-9]* r,
  owner /var/lib/snapd/apparmor/{,**} r,
  owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,

  owner /tmp/cri-containerd.apparmor.d[0-9]* r,

        @{sys}/kernel/security/apparmor/{,**} r,
  owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,

        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/mounts r,

  deny /apparmor/.null rw,

  include if exists <local/apparmor_parser>
}