Add LVM

apparmor.d/profiles-a-f/blkdeactivate

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/blkdeactivate
+profile blkdeactivate @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+  /{usr/,}sbin/dmsetup rPUx,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/lsblk rPx,
+  /{usr/,}sbin/lvm rPx,
+  /{usr/,}bin/sort rix,
+  /{usr/,}bin/umount rPx,
+
+  include if exists <local/blkdeactivate>
+}
+

apparmor.d/profiles-a-f/dmeventd

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/dmeventd
+profile dmeventd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+
+  include if exists <local/dmeventd>
+}

apparmor.d/profiles-g-l/lvm

@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvm
+profile lvm @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+  deny capability net_admin,
+
+  @{exec_path} rm,
+
+  /etc/lvm/** r,
+
+  @{run}/lvm/** rwk,
+  @{run}/lock/lvm/* rwk,
+
+  @{sys}/bus/ r,
+  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+  @{sys}/class/ r,
+
+        @{PROC}/devices r,
+  owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/mapper/control rw,
+
+  include if exists <local/lvm>
+}

apparmor.d/profiles-g-l/lvmconfig

@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmconfig
+profile lvmconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  /etc/lvm/** rw,
+
+  include if exists <local/lvmconfig>
+}
+

apparmor.d/profiles-g-l/lvmdump

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmdump
+profile lvmdump @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  @{exec_path} rm,
+
+  include if exists <local/lvmdump>
+}
+

apparmor.d/profiles-g-l/lvmpolld

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmpolld
+profile lvmpolld @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/umount rPx,
+
+  @{run}/lvmpolld.pid rwk,
+
+  include if exists <local/lvmpolld>
+}