# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/systemd/systemd-remount-fs
profile systemd-remount-fs @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>

  capability net_admin,
  capability sys_admin,
  capability sys_resource,

  mount options=(rw, remount) -> /,
  mount options=(rw, remount) -> /proc/,

  @{exec_path} mr,

  @{bin}/mount rix,

  /etc/fstab r,

  @{run}/host/container-manager r,
  @{run}/mount/utab rw,
  @{run}/mount/utab.?????? rw,
  @{run}/mount/utab.lock rwk,

  @{PROC}/ r,
  @{PROC}/1/cmdline r,

  include if exists <local/systemd-remount-fs>
}