# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin
profile gpartedbin @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-read>

  capability dac_read_search,
  capability ipc_lock,
  capability sys_admin,
  capability sys_rawio,

  ptrace read,

  signal send peer=mke2fs,

  @{exec_path} mr,

  @{sh_path}        rix,

  @{bin}/blkid      rPx,
  @{bin}/dmidecode  rPx,
  @{bin}/hdparm     rPx,
  @{bin}/kmod       rPx,

  @{bin}/mount      rCx -> mount,
  @{bin}/udevadm    rCx -> udevadm,
  @{bin}/umount     rCx -> umount,

  @{bin}/btrfs      rPx,
  @{bin}/btrfstune  rPx,
  @{bin}/dmraid     rPUx,
  @{bin}/dmsetup    rPUx,
  @{bin}/dumpe2fs   rPx,
  @{bin}/e2fsck     rPx,
  @{bin}/e2image    rPx,
  @{bin}/fsck.btrfs rPx,
  @{bin}/fsck.fat   rPx,
  @{bin}/lvm        rPUx,
  @{bin}/mdadm      rPUx,
  @{bin}/mke2fs     rPx,
  @{bin}/mkfs.*     rPx,
  @{bin}/mkntfs     rPx,
  @{bin}/mkswap     rPx,
  @{bin}/mtools     rPx,
  @{bin}/ntfsinfo   rPx,
  @{bin}/ntfslabel  rPx,
  @{bin}/ntfsresize rPx,
  @{bin}/resize2fs  rPx,
  @{bin}/swaplabel  rPx,
  @{bin}/swapoff    rPx,
  @{bin}/swapon     rPx,
  @{bin}/tune2fs    rPx,
  @{bin}/xfs_io     rPUx,

  @{open_path}      rPx -> child-open,

        @{HOME}/.Xauthority r,
  owner @{HOME}/*.htm w,

  owner @{tmp}/gparted-*/ rw,

  @{run}/mount/utab r,

        @{PROC}/devices r,
        @{PROC}/partitions r,
        @{PROC}/swaps r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  profile mount {
    include <abstractions/base>
    include <abstractions/disks-read>

    capability sys_admin,

    mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/,

    mount /dev/{s,v}d[a-z]*@{int} -> /boot/,
    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/,
    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/,

    @{bin}/mount mr,

    include if exists <local/gpartedbin_mount>
  }

  profile umount {
    include <abstractions/base>

    capability sys_admin,

    umount /tmp/gparted-*/,

    umount /boot/,
    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,

    @{bin}/umount mr,

    owner @{run}/mount/ rw,
    owner @{run}/mount/utab{,.*} rw,
    owner @{run}/mount/utab.lock wk,

    owner @{PROC}/@{pid}/mountinfo r,

    include if exists <local/gpartedbin_umount>
  }

  profile udevadm {
    include <abstractions/base>
    include <abstractions/app/udevadm>
    include <abstractions/disks-write>

    include if exists <local/gpartedbin_udevadm>
  }

  include if exists <local/gpartedbin>
}

# vim:syntax=apparmor