# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin
profile gpartedbin /{{,usr/}{,s}bin/gpartedbin,{,usr/}lib{,exec,32,64}/{,gparted/}gpartedbin} flags=(complain) {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-read>

  capability dac_read_search,
  capability ipc_lock,
  capability sys_admin,
  capability sys_rawio,

  ptrace read,

  signal send peer=mke2fs,

  @{exec_path} mr,

  @{sh_path}        rix,

  @{bin}/blkid      rpx,
  @{bin}/dmidecode  rpx,
  @{bin}/hdparm     rpx,
  @{bin}/kmod       rpx,

  @{bin}/mount      rcx -> mount,
  @{bin}/udevadm    rcx -> udevadm,
  @{bin}/umount     rcx -> umount,

  @{bin}/btrfs      rpx,
  @{bin}/btrfstune  rpx,
  @{bin}/dmraid     rpux,
  @{bin}/dmsetup    rpux,
  @{bin}/dumpe2fs   rpx,
  @{bin}/e2fsck     rpx,
  @{bin}/e2image    rpx,
  @{bin}/fsck.btrfs rpx,
  @{bin}/fsck.fat   rpx,
  @{bin}/lvm        rpux,
  @{bin}/mdadm      rpux,
  @{bin}/mke2fs     rpx,
  @{bin}/mkfs.*     rpx,
  @{bin}/mkntfs     rpx,
  @{bin}/mkswap     rpx,
  @{bin}/mtools     rpx,
  @{bin}/ntfsinfo   rpx,
  @{bin}/ntfslabel  rpx,
  @{bin}/ntfsresize rpx,
  @{bin}/resize2fs  rpx,
  @{bin}/swaplabel  rpx,
  @{bin}/swapoff    rpx,
  @{bin}/swapon     rpx,
  @{bin}/tune2fs    rpx,
  @{bin}/xfs_io     rpux,

  @{open_path}      rpx -> child-open,

        @{HOME}/.Xauthority r,
  owner @{HOME}/*.htm w,

  owner @{tmp}/gparted-*/ rw,

  @{run}/mount/utab r,
  
        @{PROC}/devices r,
        @{PROC}/partitions r,
        @{PROC}/swaps r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  profile mount flags=(complain) {
    include <abstractions/base>
    include <abstractions/disks-read>

    capability sys_admin,

    mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/,

    mount /dev/{s,v}d[a-z]*@{int} -> /boot/,
    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/,
    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/,

    @{bin}/mount mr,

    include if exists <local/gpartedbin_umount>
  }

  profile umount flags=(complain) {
    include <abstractions/base>

    capability sys_admin,

    umount /tmp/gparted-*/,

    umount /boot/,
    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,

    @{bin}/umount mr,

    owner @{run}/mount/ rw,
    owner @{run}/mount/utab{,.*} rw,
    owner @{run}/mount/utab.lock wk,

    owner @{PROC}/@{pid}/mountinfo r,

    include if exists <local/gpartedbin_umount>
  }

  profile udevadm flags=(complain) {
    include <abstractions/base>
    include <abstractions/app/udevadm>
    include <abstractions/disks-write>

    include if exists <local/gpartedbin_udevadm>
  }

  include if exists <local/gpartedbin>
}

# vim:syntax=apparmor
