# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/{btrfs,btrfsck}
profile btrfs @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-write>
  include <abstractions/user-download-strict>

  capability sys_admin,
  capability fowner,
  capability sys_rawio,

  @{exec_path} mr,

  /var/lib/btrfs/ rw,
  /var/lib/btrfs/scrub.progress.@{uuid} rw,
  /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,

  / r,
  /.snapshots/ r,
  /boot/ r,
  /boot/**/ r,
  /home/ r,
  /opt/ r,
  /root/ r,
  /srv/ r,
  /usr/local/ r,
  /var/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/ext2_saved/ rw,
  @{MOUNTS}/ext2_saved/image rw,
  @{MOUNTS}/*/ r,
  @{MOUNTS}/*/ext2_saved/ rw,
  @{MOUNTS}/*/ext2_saved/image rw,

  # To be able to manage btrfs volumes
  owner @{user_img_dirs}/{,**} rwk,

  # For fsck of the btrfs filesystem directly from gparted
  owner @{tmp}/gparted-*/ rw,

  @{run}/blkid/blkid.tab{,-@{rand6}} rw,
  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  @{run}/snapper-tools-*/ r,
  @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r,

  @{sys}/fs/btrfs/@{uuid}/** r,

        @{PROC}/partitions r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/btrfs-control rw,
  /dev/pts/@{int} rw,
  /dev/tty@{int} rw,

  include if exists <local/btrfs>
}

# vim:syntax=apparmor