# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}sbin/update-initramfs
profile update-initramfs @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

  @{exec_path} rix,
  /{usr/,}bin/{,ba,da}sh    rix,

  /{usr/,}sbin/             r,

  /{usr/,}bin/getopt        rix,
  /{usr/,}bin/ischroot      rix,
  /{usr/,}bin/gawk          rix,
  /{usr/,}bin/ln            rix,
  /{usr/,}bin/mv            rix,
  /{usr/,}bin/rm            rix,
  /{usr/,}bin/cat           rix,
  /{usr/,}bin/sha1sum       rix,
  /{usr/,}bin/sync          rix,
  /{usr/,}bin/uname         rix,

  /{usr/,}bin/dpkg-trigger  rPx,
  /{usr/,}bin/linux-version rPx,
  /{usr/,}sbin/mkinitramfs  rPx,

  /var/lib/initramfs-tools/* w,

  # For shell pwd
  / r,
  /etc/ r,
  /root/ r,

  /etc/initramfs-tools/update-initramfs.conf r,

        @{PROC}/1/mountinfo r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  owner /boot/ r,
  owner /boot/initrd.img-* rw,
  owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,

  include if exists <local/update-initramfs>
}