# AppArmor profile for systemd-resolved network name resolution manager
# Version of program profiled: 255.7
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile systemd-resolved /usr/lib/systemd/systemd-resolved {
  include if exists <local/systemd-resolved>
  include <abstractions/base>
  include <abstractions/krathalans-nameservice>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  network unix stream,
  network unix dgram,

  capability net_bind_service,
  capability net_raw,
  capability setpcap,

  /usr/lib/systemd/systemd-resolved r,

  # Networking
  include <abstractions/krathalans-networking>
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

  # Runtime directories
  /{,var/}run/systemd/netif/links/* r,
  /{,var/}run/systemd/resolve/{,**} rw,

  # Config
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,

  # Proc
  owner @{PROC}/@{pid}/stat r,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/boot_id r,
  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

  # System access
  @{sys}/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c r,
  owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
}
