# AppArmor profile for systemd-networkd network manager
# Version of program profiled: 255.7
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile systemd-networkd /usr/lib/systemd/systemd-networkd {
  include if exists <local/systemd-networkd>
  include <abstractions/base>
  network unix dgram,
  network unix stream,

  capability net_admin,
  capability net_bind_service,
  capability net_raw,

  /usr/lib/systemd/systemd-networkd r,

  # Networking
  network inet dgram,
  network inet6 dgram,
  network inet6 raw,
  network netlink raw,
  network packet raw,
  network packet dgram,

  # Runtime dir
  /{,var/}run/systemd/netif/{,**} rw,
  /{,var/}run/systemd/network/{,**} r,
  /{,var/}run/udev/data/n[0-9] r,

  # Config
  /etc/machine-id r,
  /etc/systemd/networkd.conf r,
  /etc/systemd/network/{,*} r,

  # Proc
  owner @{PROC}/@{pid}/stat r,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/boot_id r,
  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
  @{PROC}/sys/net/ipv{4,6}/route/* r,

  # System access
  @{sys}/devices/pci[0-9]*/{*,**}/ r,
  @{sys}/devices/pci[0-9]*/**/net/*/{dev_port,name_assign_type,uevent} r,
  @{sys}/devices/virtual/net/*/{dev_port,uevent} r,
  @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,product_version,sys_vendor} r,
  @{sys}/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c r,
  owner @{sys}/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure rw,
}
