# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}sbin/hwinfo
profile hwinfo @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>

  # Without the sys_admin CAP, some information, for instance the reserved I/O port address range
  # in the /proc/ioports, will be hidden.
  capability sys_admin,

  # For the kernel log entries to be shown in the output
  capability syslog,

  # To remove the following errors:
  #  eth0: socket failed: Operation not permitted
  capability net_raw,

  # Needed when passed disk related options (--block, --partition, --floppy)
  capability sys_rawio,

  network inet dgram,
  network inet6 dgram,
  network packet raw,

  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh rix,

  /{usr/,}bin/kmod       rCx -> kmod,
  /{usr/,}bin/udevadm    rCx -> udevadm,

  /{usr/,}sbin/dmraid   rPUx,

  @{PROC}/version r,
  @{PROC}/cmdline r,
  @{PROC}/dma r,
  @{PROC}/interrupts r,
  @{PROC}/modules r,
  @{PROC}/tty/driver/serial r,
  @{PROC}/ioports r,
  @{PROC}/bus/input/devices r,
  @{PROC}/partitions r,
  @{PROC}/driver/nvram r,
  @{PROC}/sys/dev/cdrom/info r,

  /dev/mem r,
  /dev/nvram r,
  /dev/psaux r,
  /dev/console rw,
  /dev/ttyS0 r,
  /dev/ttyS1 r,
  /dev/fb[0-9] r,

  @{sys}/bus/{,**/} r,
  @{sys}/class/*/ r,
  @{sys}/devices/pci[0-9]*/** r,
  @{sys}/devices/**/input/**/dev r,
  @{sys}/devices/**/{modalias,uevent} r,
  @{sys}/devices/virtual/net/*/{type,carrier,address} r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/edd/{,**} r,

  /var/lib/hardware/udi/ r,

  # For a log file
  owner /tmp/hwinfo*.txt rw,


  profile kmod {
    include <abstractions/base>

    /{usr/,}bin/kmod mr,

    /etc/modprobe.d/{,*.conf} r,

    @{PROC}/cmdline r,

    # file_inherit
    /dev/ttyS0 r,
    /dev/ttyS1 r,
    owner /tmp/hwinfo*.txt rw,
    @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r,

  }

  profile udevadm {
    include <abstractions/base>

    /{usr/,}bin/udevadm mr,

    /etc/udev/udev.conf r,

    owner @{PROC}/@{pid}/stat r,
          @{PROC}/cmdline r,
          @{PROC}/1/sched r,
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

    @{sys}/** r,
    @{run}/udev/data/* r,

    # file_inherit
    owner /tmp/hwinfo*.txt rw,

  }

  include if exists <local/hwinfo>
}