# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/{btrfs,btrfsck}
profile btrfs /{,usr/}{,s}bin/{btrfs,btrfsck}  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/disks-write>
  include <abstractions/user-download-strict>

  capability sys_admin,
  capability fowner,
  capability sys_rawio,

  @{exec_path} mr,

  /var/lib/btrfs/ rw,
  /var/lib/btrfs/scrub.progress.@{uuid} rw,
  /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,

  / r,
  /boot/ r,
  /.snapshots/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/ext2_saved/ rw,
  @{MOUNTS}/ext2_saved/image rw,
  @{MOUNTS}/*/ r,
  @{MOUNTS}/*/ext2_saved/ rw,
  @{MOUNTS}/*/ext2_saved/image rw,

  # To be able to manage btrfs volumes
  owner @{user_img_dirs}/{,**} rwk,

  # For fsck of the btrfs filesystem directly from gparted
  owner /tmp/gparted-*/ rw,

  @{run}/blkid/blkid.tab{,-@{rand6}} rw,
  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  @{run}/snapper-tools-*/ r,
  @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r,
  
  @{sys}/fs/btrfs/@{uuid}/exclusive_operation r,
  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r,
  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r,

        @{PROC}/partitions r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/btrfs-control rw,
  /dev/pts/@{int} rw,
  /dev/tty@{int} rw,
  

  include if exists <local/btrfs>
}
