# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /etc/init.d/kexec
profile initd-kexec @{exec_path} {
  include <abstractions/base>

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

  /{usr/,}bin/cat        rix,
  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/tput       rix,
  /{usr/,}bin/echo       rix,

  /{usr/,}sbin/kexec     rPx,

  /{usr/,}bin/run-parts  rCx -> run-parts,
  /{usr/,}bin/systemctl  rCx -> systemctl,

  /etc/default/kexec r,

  @{sys}/kernel/kexec_loaded r,

  profile run-parts {
    include <abstractions/base>

    /{usr/,}bin/run-parts mr,

    /etc/default/kexec.d/ r,

  }

  profile systemctl {
    include <abstractions/base>

    capability sys_resource,

    ptrace (read),

    /{usr/,}bin/systemctl mr,

    /{usr/,}bin/systemd-tty-ask-password-agent rix,

    owner @{PROC}/@{pid}/stat r,
    owner @{PROC}/@{pid}/fd/ r,
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/1/sched r,
          @{PROC}/1/environ r,
          @{PROC}/cmdline r,

    /dev/kmsg w,

    owner @{run}/systemd/ask-password/ rw,
    owner @{run}/systemd/ask-password-block/* rw,

  }

  include if exists <local/initd-kexec>
}