From 2b8a9498a97f4fc317fc8d161ae60c9e35d3c87d Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@canonical.com>
Date: Fri, 25 Apr 2025 17:54:01 +0200
Subject: [PATCH] Adding apparmor-profile to allow haveged to bind to unix
 sockets.

Signed-off-by: Daniel Baumann <daniel@debian.org>
---
 debian/usr.sbin.haveged | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 debian/usr.sbin.haveged

diff --git a/debian/usr.sbin.haveged b/debian/usr.sbin.haveged
new file mode 100644
index 0000000..5fd18b8
--- /dev/null
+++ b/debian/usr.sbin.haveged
@@ -0,0 +1,28 @@
+# Last Modified: Fri Aug 21 15:23:17 2015
+#include <tunables/global>
+
+/usr/sbin/haveged {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+
+  # Required for ioctl RNDADDENTROPY
+  capability sys_admin,
+
+  network unix stream,
+
+  owner @{PROC}/@{pid}/status r,
+
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/sys/kernel/random/poolsize r,
+  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
+  /dev/random w,
+
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/cpu*/cache/ r,
+  /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
+  /usr/sbin/haveged mr,
+
+  /run/haveged.pid w,
+
+  #include <local/usr.sbin.haveged>
+}