From e9dd7b6a1d6945e7307555ab0c09f895acaac811 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 5 Sep 2022 20:18:35 +0200
Subject: [PATCH] Permissions for warning scripts

---
 apparmor.d/profiles-s-z/smartd | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd
index ac1aeb0d7..9298c081f 100644
--- a/apparmor.d/profiles-s-z/smartd
+++ b/apparmor.d/profiles-s-z/smartd
@@ -11,6 +11,7 @@ include <tunables/global>
 profile smartd @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   # To remove the following errors:
   #  Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device
@@ -24,6 +25,14 @@ profile smartd @{exec_path} {
   deny capability net_admin,
 
   @{exec_path} mr,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/hostname   rix,
+  /{usr/,}bin/mail       rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/run-parts  rix,
+  /usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix,
+  /etc/smartmontools/run.d/* rix,
 
   /etc/smartd.conf r,
 
@@ -42,6 +51,7 @@ profile smartd @{exec_path} {
   @{PROC}/devices r,
 
   /run/systemd/notify rw,
+  /tmp/tmp.* rw,
 
   include if exists <local/smartd>
 }