# This AppArmor profile is part of the prometheus-wireguard_exporter package
# Georg Pfuetzenreuter <mail+apparmor@georg-pfuetzenreuter.net>

abi <abi/3.0>,

include <tunables/global>

/usr/sbin/wireguard_exporter {
  include <abstractions/base>

  network inet stream,
  network inet6 stream,

  /usr/sbin/wireguard_exporter mr,
  /usr/bin/sudo Cx -> sudo,
  /usr/bin/wg PUx,

  profile sudo {
    # TODO: somehow use https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/app/sudo without depending on the whole apparmor.d package
    include <abstractions/authentication>
    include <abstractions/base>
    include <abstractions/nameservice>

    capability audit_write,
    capability net_admin,
    capability setgid,
    capability setuid,
    capability sys_resource,

    network netlink raw,

    owner @{etc_ro}/ld.so.cache r,
    owner @{etc_ro}/security/limits.d/ r,
    owner @{etc_ro}/{environment,{nsswitch,sudo}.conf} r,
    @{etc_ro}/sudoers{,.d/{,*}} r,

    owner /proc/filesystems r,
    owner /proc/sys/crypto/fips_enabled r,
    owner /proc/sys/kernel/seccomp/actions_avail r,

    /dev/tty rw,
    /dev/null r,

    owner /usr/lib/sudo/libsudo_util.so.* mr,

    @{PROC}/@{pid}/{fd/,stat} r,

    /usr/bin/sudo mr,

    /usr/bin/wg PUx,
  }
}
