# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{libexec}/boltd
profile boltd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

  capability net_admin,

  network netlink raw,

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  
  dbus send bus=system path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member=RequestName,
  
  dbus receive bus=system path=/org/freedesktop/bolt
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  
  dbus receive bus=system path=/org/freedesktop/bolt
      interface=org.freedesktop.bolt1.Manager
      member=ListDevices,
  
  dbus bind bus=system 
      name=org.freedesktop.bolt,

  @{exec_path} mr,

  /var/lib/boltd/{,**} rw,

  owner @{run}/boltd/{,**} rw,

  @{run}/systemd/notify rw,
  @{run}/systemd/journal/socket w,
  @{run}/udev/data/+thunderbolt:* r,

  @{sys}/bus/ r,
  @{sys}/bus/thunderbolt/devices/ r,
  @{sys}/bus/wmi/devices/ r,
  @{sys}/class/ r,
  @{sys}/devices/pci[0-9]*/**/device  r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/{security,uevent} r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/ r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{authorized,generation} r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{uevent,unique_id} r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
  @{sys}/devices/platform/**/uevent r,
  @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

  include if exists <local/boltd>
}