# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/blkid
profile blkid @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>

  capability sys_rawio,

  @{exec_path} mr,

  /etc/blkid.conf r,

  # When the system doesn't have the /run/ dir, the cache file is placed under /etc/
  @{etc_rw}/blkid.tab{,-@{rand6}} rw,
  @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,

  # Image files
  @{user_img_dirs}/{,**} r,

  # The standard location of the cache file
  # Without owner here if this tool should be used as a regular user
  @{run}/blkid/ rw,
  @{run}/blkid/blkid.tab{,-@{rand6}} rw,
  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,

  @{run}/cloud-init/ds-identify.log w, # file_inherit

  # For the EVALUATE=scan method
  @{PROC}/partitions r,

  owner /dev/tty@{int} rw,

  include if exists <local/blkid>
}

# vim:syntax=apparmor