From 2262ae0896792abe86cf185dcf8ee3217b23b7f5 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 26 Aug 2022 10:38:46 +0200
Subject: [PATCH] Add LVM

---
 apparmor.d/profiles-a-f/blkdeactivate | 23 ++++++++++++++++
 apparmor.d/profiles-a-f/dmeventd      | 16 +++++++++++
 apparmor.d/profiles-g-l/lvm           | 38 +++++++++++++++++++++++++++
 apparmor.d/profiles-g-l/lvmconfig     | 20 ++++++++++++++
 apparmor.d/profiles-g-l/lvmdump       | 19 ++++++++++++++
 apparmor.d/profiles-g-l/lvmpolld      | 22 ++++++++++++++++
 6 files changed, 138 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/blkdeactivate
 create mode 100644 apparmor.d/profiles-a-f/dmeventd
 create mode 100644 apparmor.d/profiles-g-l/lvm
 create mode 100644 apparmor.d/profiles-g-l/lvmconfig
 create mode 100644 apparmor.d/profiles-g-l/lvmdump
 create mode 100644 apparmor.d/profiles-g-l/lvmpolld

diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate
new file mode 100644
index 000000000..922c9c236
--- /dev/null
+++ b/apparmor.d/profiles-a-f/blkdeactivate
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/blkdeactivate
+profile blkdeactivate @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+  /{usr/,}sbin/dmsetup rPUx,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/lsblk rPx,
+  /{usr/,}sbin/lvm rPx,
+  /{usr/,}bin/sort rix,
+  /{usr/,}bin/umount rPx,
+
+  include if exists <local/blkdeactivate>
+}
+
diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd
new file mode 100644
index 000000000..f92cb135b
--- /dev/null
+++ b/apparmor.d/profiles-a-f/dmeventd
@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/dmeventd
+profile dmeventd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+
+  include if exists <local/dmeventd>
+}
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
new file mode 100644
index 000000000..409b4e62f
--- /dev/null
+++ b/apparmor.d/profiles-g-l/lvm
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvm
+profile lvm @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+  deny capability net_admin,
+
+  @{exec_path} rm,
+
+  /etc/lvm/** r,
+
+  @{run}/lvm/** rwk,
+  @{run}/lock/lvm/* rwk,
+
+  @{sys}/bus/ r,
+  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+  @{sys}/class/ r,
+
+        @{PROC}/devices r,
+  owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/mapper/control rw,
+
+  include if exists <local/lvm>
+}
diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig
new file mode 100644
index 000000000..90b7d4594
--- /dev/null
+++ b/apparmor.d/profiles-g-l/lvmconfig
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmconfig
+profile lvmconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  /etc/lvm/** rw,
+
+  include if exists <local/lvmconfig>
+}
+
diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump
new file mode 100644
index 000000000..dc85a8a0b
--- /dev/null
+++ b/apparmor.d/profiles-g-l/lvmdump
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmdump
+profile lvmdump @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  @{exec_path} rm,
+
+  include if exists <local/lvmdump>
+}
+
diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld
new file mode 100644
index 000000000..abc8ee87c
--- /dev/null
+++ b/apparmor.d/profiles-g-l/lvmpolld
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}sbin/lvmpolld
+profile lvmpolld @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/umount rPx,
+
+  @{run}/lvmpolld.pid rwk,
+
+  include if exists <local/lvmpolld>
+}