apparmor.d/apparmor.d/profiles-m-r/mdadm

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2025 Zane Zakraisek <zz@eng.utah.edu>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/mdadm
profile mdadm @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-write>

  capability dac_read_search,
  capability sys_admin,
  capability mknod,
  capability net_admin,

  network netlink raw,

  mqueue (read getattr) type=posix /,

  @{exec_path} mr,

  @{sh_path}      rix,
  @{bin}/sendmail rPUx,

  /etc/mdadm.conf r,

  @{run}/initctl r,
  @{run}/mdadm/* rwk,

  /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,

  @{sys}/bus/pci/drivers/*/ r,
  @{sys}/devices/@{pci}/class r,
  @{sys}/devices/@{pci}/device r,
  @{sys}/devices/@{pci}/vendor r,
  @{sys}/devices/virtual/block/md*/** rw,
  @{sys}/module/md_mod/** rw,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/cmdline r,
  @{PROC}/kcore r,
  @{PROC}/partitions r,
  @{PROC}/mdstat rw,

  /dev/**/ r,
  /dev/.tmp.md.* rw,

  include if exists <local/mdadm>
}

# vim:syntax=apparmor