# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/spectre-meltdown-checker profile spectre-meltdown-checker @{exec_path} { include # Needed to read the /dev/cpu/[0-9]*/msr device capability sys_rawio, # Needed to read system logs capability syslog, @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ r, /{usr/,}bin/dirname rix, /{usr/,}bin/uname rix, /{usr/,}bin/cut rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/head rix, /{usr/,}bin/gawk rix, /{usr/,}bin/sed rix, /{usr/,}bin/od rix, /{usr/,}bin/dd rix, /{usr/,}bin/id rix, /{usr/,}bin/gunzip rix, /{usr/,}bin/gzip rix, /{usr/,}bin/zstd rix, /{usr/,}bin/bunzip2 rix, /{usr/,}bin/lzop rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/tr rix, /{usr/,}bin/stat rix, /{usr/,}bin/tail rix, /{usr/,}bin/xz rix, /{usr/,}bin/seq rix, /{usr/,}bin/rm rix, /{usr/,}bin/sort rix, /{usr/,}bin/cat rix, /{usr/,}bin/basename rix, /{usr/,}bin/perl rix, /{usr/,}bin/base64 rix, /{usr/,}bin/unzip rix, /{usr/,}bin/{,@{multiarch}-}readelf rix, /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}sbin/iucode_tool rix, /{usr/,}bin/dmesg rix, /{usr/,}bin/mount rix, /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/kmod rCx -> kmod, # To fetch MCE.db from the MCExtractor project /{usr/,}bin/wget rCx -> mcedb, /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, owner /tmp/intelfw-*/ rw, owner /tmp/intelfw-*/fw.zip rw, owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, owner @{HOME}/.mcedb rw, owner /{usr/,}bin/spectre-meltdown-checker w, /tmp/ r, owner /tmp/{config,kernel}-* rw, owner /dev/cpu/[0-9]*/cpuid r, owner /dev/cpu/[0-9]*/msr rw, owner /dev/kmsg r, /boot/ r, /boot/{config,vmlinuz,System.map}-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, @{PROC}/ r, @{PROC}/config.gz r, @{PROC}/cmdline r, @{PROC}/kallsyms r, @{PROC}/modules r, /var/lib/dbus/machine-id r, /etc/machine-id r, # For shell pwd /root/ r, /etc/ r, profile ccache { include /{usr/,}bin/ccache mr, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /media/ccache/*/** rw, } profile pgrep { include /{usr/,}bin/pgrep mr, # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault. @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/sys/kernel/osrelease r, } profile mcedb { include include include include include /{usr/,}bin/wget mr, /{usr/,}bin/sqlite3 mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, /tmp/ r, owner /tmp/mcedb-* rwk, owner /tmp/intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, } profile kmod { include /{usr/,}bin/kmod mr, /etc/modprobe.d/ r, /etc/modprobe.d/*.conf r, @{PROC}/cmdline r, } include if exists }