# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{lib}/{,fwupd/}fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include include include include include include include capability dac_override, capability dac_read_search, capability linux_immutable, capability mknod, capability sys_admin, capability sys_nice, capability sys_rawio, capability syslog, network netlink raw, dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,RemoveMatch,RequestName} peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.{Properties,ObjectManager} member={GetAll,GetManagedObjects}, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member={Changed,GetAll} peer=(label=polkitd), dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties member=GetAll, dbus send bus=system path=/org/freedesktop/UDisks2/Manager interface=org.freedesktop.{DBus.Properties,UDisks2.Manager} member={GetAll,GetBlockDevices}, dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice} interface=org.freedesktop.DBus.Properties member=GetAll, dbus send bus=system path=/ interface=org.freedesktop.fwupd member=Changed peer=(label=fwupdmgr), dbus send bus=system path=/ interface=org.freedesktop.DBus member=Changed peer=(label=fwupdmgr), dbus receive bus=system path=/ interface=org.freedesktop.fwupd, dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member={Changed,GetAll} peer=(label=polkitd), dbus receive bus=system path=/ interface=org.freedesktop.DBus.Properties member={GetAll,SetHints,GetPlugins,GetRemotes} peer=(name=:*, label=fwupdmgr), dbus bind bus=system name=org.freedesktop.fwupd, @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, /etc/lsb-release r, /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /var/cache/fwupd/{,**} rw, /var/lib/fwupd/{,**} rw, /var/lib/fwupd/pending.db rwk, /var/tmp/etilqs_@{hex} rw, /boot/{,**} r, /boot/EFI/*/.goutputstream-* rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx[0-9]*.efi rw, @{lib}/fwupd/efi/fwupdx[0-9]*.efi r, /etc/machine-id r, /var/lib/dbus/machine-id r, # In order to get to this file, the attach_disconnected flag has to be set owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r, @{sys}/power/mem_sleep r, @{run}/motd.d/ r, @{run}/motd.d/[0-9]*-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/udev/data/* r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, @{PROC}/modules r, @{PROC}/swaps r, @{PROC}/sys/kernel/tainted r, /dev/bus/usb/ r, /dev/bus/usb/[0-9]*/[0-9]* rw, /dev/cpu/[0-9]*/msr rw, /dev/drm_dp_aux[0-9]* rw, /dev/gpiochip[0-9]* r, /dev/hidraw[0-9]* rw, /dev/mei[0-9]* rw, /dev/mem r, /dev/mtd[0-9]* rw, /dev/sd[a-z]* r, /dev/tpm[0-9]* rw, /dev/tpmrm[0-9]* rw, /dev/wmi/* r, profile gpg flags=(complain) { include include capability dac_read_search, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent mrix, owner /var/lib/fwupd/gnupg/ rw, owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**, owner @{PROC}/@{pids}/fd/ r, } include if exists }