apparmor.d/profiles/inxi

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/inxi
profile inxi @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/perl>
  include <abstractions/openssl>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} r,
  /{usr/,}bin/perl r,

  /{usr/,}bin/ r,
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/zsh        rix,
  /{usr/,}bin/tty        rix,
  /{usr/,}bin/tput       rix,
  /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
  /{usr/,}bin/getconf    rix,
  /{usr/,}bin/file       rix,

  /{usr/,}bin/ip              rCx -> ip,
  /{usr/,}lib/systemd/systemd rCx -> systemd,
  /{usr/,}bin/kmod            rCx -> kmod,
  /{usr/,}bin/udevadm         rCx -> udevadm,

  /{usr/,}bin/systemctl  rPx -> child-systemctl,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  /{usr/,}bin/dpkg-query rpx,

  /{usr/,}bin/compton    rPx,
  /{usr/,}bin/xrandr     rPx,
  /{usr/,}bin/glxinfo    rPx,
  /{usr/,}bin/lspci      rPx,
  /{usr/,}bin/lsusb      rPx,
  /{usr/,}bin/lsblk      rPx,
  /{usr/,}bin/sensors    rPx,
  /{usr/,}bin/uptime     rPx,
  /{usr/,}sbin/dmidecode rPx,
  /{usr/,}bin/xdpyinfo   rPx,
  /{usr/,}bin/who        rPx,
  /{usr/,}bin/xprop      rPx,
  /{usr/,}bin/df         rPx,
  /{usr/,}sbin/blockdev  rPx,
  /{usr/,}bin/dig        rPx,
  /{usr/,}bin/ps         rPx,
  /{usr/,}bin/sudo       rPx,
  /{usr/,}bin/openbox    rPx,
  /{usr/,}bin/xset       rPx,
  /{usr/,}sbin/smartctl  rPx,
  /{usr/,}sbin/hddtemp   rPx,

  /etc/ r,
  /etc/inxi.conf r,
  /etc/issue r,
  /etc/magic r,
  /etc/apt/sources.list r,
  /etc/apt/sources.list.d/{,*.list} r,

  /var/log/ r,
  /var/log/Xorg.[0-9]*.log r,

  /home/ r,
  @{HOME}/.local/share/xorg/ r,
  @{HOME}/.local/share/xorg/Xorg.[0-9]*.log r,

  # For shell pwd
  /root/ r,

  @{run}/ r,

  @{PROC}/asound/ r,
  @{PROC}/asound/version r,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/swaps r,
  @{PROC}/partitions r,
  @{PROC}/scsi/scsi r,
  @{PROC}/cmdline r,
  @{PROC}/version r,
  @{PROC}/sys/vm/swappiness r,
  @{PROC}/sys/vm/vfs_cache_pressure r,
  @{PROC}/sys/dev/cdrom/info r,
  @{PROC}/1/comm r,

  /dev/ r,
  /dev/mapper/ r,
  /dev/disk/*/ r,
  /dev/dm-[0-9]* r,

  @{sys}/class/power_supply/ r,
  @{sys}/class/net/ r,
  @{sys}/firmware/acpi/tables/ r,
  @{sys}/bus/usb/devices/ r,
  @{sys}/devices/{,**} r,
  @{sys}/module/*/version r,
  @{sys}/power/wakeup_count r,


  profile ip {
    include <abstractions/base>

    network netlink raw,

    /{usr/,}bin/ip mr,

    @{sys}/devices/pci[0-9]*/**/net/*/{duplex,address,speed,operstate} r,

    /etc/iproute2/group r,

  }

  profile systemd {
    include <abstractions/base>

    /{usr/,}lib/systemd/systemd mr,

    /etc/systemd/user.conf r,

    owner @{PROC}/@{pid}/stat r,
          @{PROC}/sys/kernel/pid_max r,
          @{PROC}/sys/kernel/threads-max r,
          @{PROC}/1/cgroup r,

  }

  profile udevadm {
    include <abstractions/base>

    /{usr/,}bin/udevadm mr,

    /etc/udev/udev.conf r,

    owner @{PROC}/@{pid}/stat r,
          @{PROC}/cmdline r,
          @{PROC}/1/sched r,
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

    @{sys}/devices/pci[0-9]*/**/block/**/uevent r,
    @{run}/udev/data/b* r,

  }

  profile kmod {
    include <abstractions/base>

    /{usr/,}bin/kmod mr,

    @{PROC}/cmdline r,
    @{PROC}/modules r,

  }

  include if exists <local/inxi>
}