# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}{local/,}{s,}bin/zed
profile zed @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>
  
  capability sys_admin,

  network netlink raw,
  
  @{exec_path} mr,

  @{bin}/{m,g,}awk rix,
  @{bin}/basename rix,
  @{bin}/cat rix,
  @{bin}/diff rix,
  @{bin}/expr rix,
  @{bin}/flock rix,
  @{bin}/grep rix,
  @{bin}/hostname rix,
  @{bin}/logger rix,
  @{bin}/ls rix,
  @{bin}/mktemp rix,
  @{bin}/realpath rix,
  @{bin}/rm rix,
  @{bin}/sort rix,

  /{usr/,}{local/,}{s,}bin/zpool rPx,
  /{usr/,}{local/,}{s,}bin/zfs rPx,
  /{usr/,}{local/,}lib/zfs-linux/zed.d/*.sh rix,

  /etc/zfs/zed.d/{,*} r,
  /etc/zfs/zfs-list.cache/{,*} rwk,

  @{run}/zed.pid rwkl,
  @{run}/zed.state rwkl,
  @{run}/zfs-list.cache@* rw,

  owner /tmp/tmp.* rw,

  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}/address r,
  @{sys}/module/zfs/parameters/zfs_zevent_len_max rw,
  
        @{PROC}/@{pids}/mounts r,
  owner @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/zfs rw,

  include if exists <local/zed>
}