# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gpartedbin
@{exec_path} += @{lib}/gpartedbin
@{exec_path} += @{lib}/gparted/gpartedbin
profile gpartedbin /{{,usr/}{,s}bin/gpartedbin,{,usr/}lib{,exec,32,64}/gpartedbin,{,usr/}lib{,exec,32,64}/gparted/gpartedbin} flags=(complain) {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>

  capability dac_read_search,
  capability ipc_lock,
  capability sys_admin,
  capability sys_rawio,

  ptrace (read),

  signal (send) peer=mke2fs,

  @{exec_path} mr,

  @{sh_path}         rix,

  @{bin}/blkid      rPx,
  @{bin}/dmidecode  rPx,
  @{bin}/hdparm     rPx,
  @{bin}/kmod       rPx,

  @{bin}/mount      rCx -> mount,
  @{bin}/udevadm    rCx -> udevadm,
  @{bin}/umount     rCx -> umount,

  @{bin}/btrfs      rPx,
  @{bin}/btrfstune  rPx,
  @{bin}/dmraid     rPUx,
  @{bin}/dmsetup    rPUx,
  @{bin}/dumpe2fs   rPx,
  @{bin}/e2fsck     rPx,
  @{bin}/e2image    rPx,
  @{bin}/fsck.btrfs rPx,
  @{bin}/fsck.fat   rPx,
  @{bin}/lvm        rPUx,
  @{bin}/mdadm      rPUx,
  @{bin}/mke2fs     rPx,
  @{bin}/mkfs.*     rPx,
  @{bin}/mkntfs     rPx,
  @{bin}/mkswap     rPx,
  @{bin}/mtools     rPx,
  @{bin}/ntfsinfo   rPx,
  @{bin}/ntfslabel  rPx,
  @{bin}/ntfsresize rPx,
  @{bin}/resize2fs  rPx,
  @{bin}/swaplabel  rPx,
  @{bin}/swapoff    rPx,
  @{bin}/swapon     rPx,
  @{bin}/tune2fs    rPx,
  @{bin}/xfs_io     rPUx,

  @{open_path}      rPx -> child-open,

        @{HOME}/.Xauthority r,
  owner @{HOME}/*.htm w,

  owner /tmp/gparted-*/ rw,

  @{run}/mount/utab r,
  
        @{PROC}/devices r,
        @{PROC}/partitions r,
        @{PROC}/swaps r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/mapper/control rw,

  profile mount flags=(complain) {
    include <abstractions/base>

    capability sys_admin,

    mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/,

    mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/,
    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,

    @{bin}/mount mr,

    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r,
    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/dev r,
    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r,
    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/{start,size} r,

    /dev/{s,v}d[a-z]* r,
    /dev/{s,v}d[a-z]*[0-9]* r,

  }

  profile umount flags=(complain) {
    include <abstractions/base>

    capability sys_admin,

    umount /tmp/gparted-*/,

    umount /boot/,
    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,

    @{bin}/umount mr,

    owner @{run}/mount/ rw,
    owner @{run}/mount/utab{,.*} rw,
    owner @{run}/mount/utab.lock wk,

    owner @{PROC}/@{pid}/mountinfo r,

  }

  profile udevadm flags=(complain) {
    include <abstractions/base>
    include <abstractions/disks-write>

    ptrace (read),

    @{bin}/udevadm mr,

    /etc/udev/udev.conf r,

          @{PROC}/1/environ r,
          @{PROC}/1/sched r,
          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,
          @{PROC}/sys/kernel/random/boot_id r,
    owner @{PROC}/@{pid}/cgroup r,
    owner @{PROC}/@{pid}/stat r,

    /dev/mapper/control rw,

  }

  include if exists <local/gpartedbin>
}
