# systemctl-mqtt - MQTT client triggering & reporting shutdown on systemd-based systems
#
# Copyright (C) 2020 Fabian Peter Hammerle <fabian@hammerle.me>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#include <tunables/global>
profile systemctl-mqtt flags=(attach_disconnected) {
#include <abstractions/base>
network inet,
# https://jlk.fjfi.cvut.cz/arch/manpages/man/apparmor.d.5#Access_Modes
/systemctl-mqtt/ r,
/systemctl-mqtt/** r,
# https://presentations.nordisch.org/apparmor/#/25
/systemctl-mqtt/.venv/bin/systemctl-mqtt rix,
/etc/** r,
/usr/lib/** rm,
/var/** r,
deny /bin/** rwklx,
deny @{PROC}/** rwklx,
deny /sys/** rwklx,
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorDBus
#include <abstractions/dbus-strict>
dbus (send, receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Inhibit,ListInhibitors,ScheduleShutdown,LockSessions,Suspend}
peer=(label=unconfined),
dbus (receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=PrepareForShutdown
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=Get
peer=(label=unconfined),
}