# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/os-prober
profile os-prober /{,usr/}{,s}bin/os-prober  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>

  capability dac_read_search,
  capability sys_admin,

  umount /var/lib/os-prober/mount/,

  @{exec_path} mrix,

  @{sh_path}               rix,
  @{bin}/{e,f,}grep        rix,
  @{bin}/blkid             rpx,
  @{bin}/btrfs             rpx,
  @{bin}/cat               rix,
  @{bin}/cut               rix,
  @{bin}/dmraid           rpux,
  @{bin}/find              rix,
  @{bin}/grub-mount        rpx,
  @{bin}/grub-probe        rpx,
  @{bin}/head              rix,
  @{bin}/kmod              rpx,
  @{bin}/logger            rix,
  @{bin}/ls                rix,
  @{bin}/lsblk             rpx,
  @{bin}/lvm               rpx,
  @{bin}/mkdir             rix,
  @{bin}/mktemp            rix,
  @{bin}/mount             rix,
  @{bin}/multipath         rpx,
  @{bin}/readlink          rix,
  @{bin}/rm                rix,
  @{bin}/rmdir             rix,
  @{bin}/sed               rix,
  @{bin}/udevadm           rpx,
  @{bin}/umount            rix,
  @{bin}/uname             rix,
  @{bin}/which             rix,
  @{lib}/newns             rix,
  @{lib}/os-prober/*       rix,
  @{lib}/os-probes/{,**}   rix,

  /usr/share/os-prober/common.sh r,
  /usr/share/terminfo/** r,

  /var/lib/os-prober/{,**} rw,

  @{MOUNTS}/ r,
  / r,
  /boot/{efi/,} r,
  /boot/{efi/,}EFI/ r,
  /boot/{efi/,}EFI/**/ r,

  owner @{tmp}/os-prober.*/{,**} rw,

  @{run}/mount/utab r,

  @{sys}/devices/@{pci}/block/*/ r,
  @{sys}/devices/virtual/block/*/ r,

        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/tty@{int} rw,

  include if exists <local/os-prober>
}

# vim:syntax=apparmor
