From 50e48455be9056bf84929d825839fb3834d48a7a Mon Sep 17 00:00:00 2001
From: Alexandre <44178713+alexbelgium@users.noreply.github.com>
Date: Thu, 9 Jun 2022 10:22:48 +0200
Subject: [PATCH] Create apparmor.txt

---
 scrutiny_fa/apparmor.txt | 68 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 scrutiny_fa/apparmor.txt

diff --git a/scrutiny_fa/apparmor.txt b/scrutiny_fa/apparmor.txt
new file mode 100644
index 000000000..08a51a81f
--- /dev/null
+++ b/scrutiny_fa/apparmor.txt
@@ -0,0 +1,68 @@
+#include <tunables/global>
+
+profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  capability,
+  file,
+  signal,
+  mount,
+  umount,
+  remount,
+  network udp,
+  network tcp,
+  network dgram,
+  network stream,
+  network inet,
+  network inet6,
+  network netlink raw,
+
+  capability setgid,
+  capability setuid,
+  capability dac_override,
+  capability sys_admin,
+  capability dac_read_search,
+  capability sys_rawio,
+
+# S6-Overlay
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl,
+  # Files required
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+  /dev/sda mrwkl,
+  /dev/sdb mrwkl,
+  /dev/sdc mrwkl,
+  /dev/sdd mrwkl,
+  /dev/sde mrwkl,
+  /dev/sdf mrwkl,
+  /dev/sdg mrwkl,
+  /dev/nvme0 mrwkl,
+  /dev/nvme1 mrwkl,
+  /dev/nvme2 mrwkl,
+  /dev/nvme3 mrwkl,
+  /dev/nvme4 mrwkl,
+
+  # Data access
+  /data/** rw,
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}