#------------------------------------------------------------------
#    Copyright (C) 2025 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor

abi <abi/4.0>,

include <tunables/global>

@{coreutils}={{gnu,}{\[,cat,head,mktemp,sha*sum,rm,stat,touch,xxd},{*awk,coreutils,*grep,logger,sed}}

profile pollinate /usr/bin/pollinate {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/ssl_certs>

  # Used for building/sending challenge payload.
  include <abstractions/user-tmp>

  file mr /usr/bin/pollinate,
  priority=1 file rix /usr/bin/curl,
  file Pix /usr/bin/@{coreutils},

  # Allow loading config
  file r /etc/pollinate/*,
  file r /etc/default/pollinate,

  # Allow access to user-agent data sent to server.
  # optional data
  file Pix /usr/bin/hostname,
  file r /proc/uptime,
  file r /etc/cloud/build.info,
  file Pix /usr/bin/{gnu,}uname,
  file r /proc/sys/kernel/osrelease,
  file Pix /usr/bin/systemd-detect-virt,

  # required data
  file r /etc/lsb-release,
  # required dpkg-query for reporting versions in user_agent
  file Pix /usr/bin/dpkg{,-query},
  file r /etc/dpkg/**,
  file r /var/lib/dpkg/**,

  # Outputs from pollinate
  file rw /dev/urandom,
  file rw /var/cache/pollinate/*,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pollinate>
}
 
