# AppArmor profile for haveged entropy harvesting daemon
# Version of program profiled: 1.9.15
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2009-2012 Steve Kostecke <steve@debian.org>;
#           2011-2014 Jérémy Bobbio <lunar@debian.org>;
#           2020 krathalan
# Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile haveged /usr/bin/haveged {
  include if exists <local/haveged>
  include <abstractions/base>

  # Required for ioctl RNDADDENTROPY
  capability sys_admin,

  owner @{PROC}/@{pid}/status r,

  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  /dev/random w,

  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu*/cache/ r,
  /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
  /usr/bin/haveged mr,
}
