# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/hardinfo profile hardinfo @{exec_path} { include include include include include include include include include # This is needed to display some content of devices -> resources capability sys_admin, # This is for benchmarks capability sys_nice, network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, @{exec_path} mrix, @{sh_path} rix, @{bin}/gdb rix, @{bin}/iconv rix, @{bin}/last rix, @{bin}/ldd rix, @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, @{bin}/python3.@{int} rix, @{bin}/route rix, @{bin}/ruby[0-9].@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/xdg-open rCx -> open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, /usr/share/hardinfo/{,**} r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @{sys}/devices/system/cpu/** r, @{sys}/devices/virtual/dmi/id/* r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, @{sys}/devices/@{pci}/eeprom r, @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, @{PROC}/@{pid}/net/wireless r, @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/arp r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/loginuid r, @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/ioports r, @{PROC}/iomem r, @{PROC}/dma r, @{PROC}/asound/cards r, @{PROC}/scsi/scsi r, @{PROC}/bus/input/devices r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/@{pids}/net/route r, /etc/fstab r, /etc/exports r, /etc/samba/smb.conf r, /etc/gdb/gdbinit.d/ r, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, /var/log/wtmp r, owner @{HOME}/.hardinfo/ rw, owner /tmp/#@{int} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, # Silencer deny /usr/share/gdb/python/** w, # file_inherit owner /dev/tty@{int} rw, profile ccache { include @{bin}/ccache mr, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}g++-[0-9]* rix, /media/ccache/*/** rw, /etc/debian_version r, } profile javac { include include @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, /etc/java-[0-9]*-openjdk/** r, /usr/share/java/*.jar r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/coredump_filter rw, @{sys}/fs/cgroup/{,**} r, owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/@{pid} rw, } profile open { include include @{bin}/xdg-open mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/readlink rix, @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, } profile kmod { include @{bin}/kmod mr, @{sys}/module/** r, @{PROC}/cmdline r, @{PROC}/modules r, @{PROC}/ioports r, } include if exists }