# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/os-prober
profile os-prober /{,usr/}{,s}bin/os-prober  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/consoles>

  capability dac_read_search,
  capability sys_admin,

  umount /var/lib/os-prober/mount/,

  @{exec_path} mrix,

  @{sh_path}               rix,
  @{bin}/{e,f,}grep        rix,
  @{bin}/blkid             rPx,
  @{bin}/btrfs             rPx,
  @{bin}/cat               rix,
  @{bin}/cut               rix,
  @{bin}/dmraid           rPUx,
  @{bin}/find              rix,
  @{bin}/grub-mount        rPx,
  @{bin}/grub-probe        rPx,
  @{bin}/head              rix,
  @{bin}/kmod              rPx,
  @{bin}/logger            rix,
  @{bin}/ls                rix,
  @{bin}/lsblk             rPx,
  @{bin}/lvm               rPx,
  @{bin}/mkdir             rix,
  @{bin}/mktemp            rix,
  @{bin}/mount             rix,
  @{bin}/multipath         rPx,
  @{bin}/readlink          rix,
  @{bin}/rm                rix,
  @{bin}/rmdir             rix,
  @{bin}/sed               rix,
  @{bin}/udevadm           rPx,
  @{bin}/umount            rix,
  @{bin}/uname             rix,
  @{bin}/which             rix,
  @{lib}/newns             rix,
  @{lib}/os-prober/*       rix,
  @{lib}/os-probes/{,**}   rix,

  /usr/share/os-prober/common.sh r,
  /usr/share/terminfo/** r,

  /var/lib/os-prober/{,**} rw,

  @{MOUNTS}/ r,
  / r,
  /boot/{efi/,} r,
  /boot/{efi/,}EFI/ r,
  /boot/{efi/,}EFI/*/ r,

  owner /tmp/os-prober.*/{,**} rw,

  @{sys}/block/ r,
  @{sys}/devices/@{pci}/block/*/ r,
  @{sys}/devices/virtual/block/*/ r,

        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/tty@{int} rw,

  include if exists <local/os-prober>
}
