# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

  # The /sys/ entries probably should be tightened

  abi <abi/4.0>,

  /dev/ r,
  /dev/block/ r,
  /dev/disk/{,*/} r,

  # Regular disk/partition devices
  /dev/{s,v}d[a-z]* rk,
  /dev/{s,v}d[a-z]*@{int} rk,
  @{sys}/devices/@{pci}/ata@{int}/** r,
  @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r,
  @{sys}/devices/@{pci}/block/{s,v}d[a-z]/** r,
  @{sys}/devices/@{pci}/usb@{int}/** r,
  @{sys}/devices/@{pci}/virtio@{int}/** r,
  @{sys}/devices/**/host@{int}/** r,

  # SSD Nvme devices
  /dev/nvme[0-9]* rk,
  @{sys}/devices/@{pci}/nvme/nvme@{int}/{,**} r,

  # SD card devices
  /dev/mmcblk[0-9]* rk,
  /dev/mmcblk[0-9]*p@{int} rk,
  @{sys}/devices/@{pci}/block/mmcblk@{int}/ r,
  @{sys}/devices/@{pci}/block/mmcblk@{int}/** r,
  @{sys}/devices/@{pci}/mmc@{int}/mmc*/ r,
  @{sys}/devices/@{pci}/mmc@{int}/mmc*/** r,
  @{sys}/devices/platform/**/block/mmcblk@{int}/ r,
  @{sys}/devices/platform/**/block/mmcblk@{int}/** r,
  @{sys}/devices/platform/**/mmc@{int}/ r,
  @{sys}/devices/platform/**/mmc@{int}/** r,

  # Loop devices
  /dev/loop[0-9]* rk,
  /dev/loop[0-9]*p@{int} rk,
  @{sys}/devices/virtual/block/loop@{int}/ r,
  @{sys}/devices/virtual/block/loop@{int}/** r,

  # Xen PVH devices
  @{sys}/devices/vbd-@{int}/block/** r,

  # Channel subsystem for IBM Z
  @{sys}/devices/css@{int}/** r,

  # LUKS/LVM (device-mapper) devices
  /dev/dm-@{int} rk,
  /dev/mapper/{,*} r,
  @{sys}/devices/virtual/block/dm-@{int}/ r,
  @{sys}/devices/virtual/block/dm-@{int}/** r,

  # ZFS devices
  /dev/zd@{int} rk,
  /dev/*pool/ r,
  /dev/zvol/{,*/} r,
  @{sys}/devices/virtual/block/zd@{int}/ r,
  @{sys}/devices/virtual/block/zd@{int}/** r,

  # ZRAM devices
  /dev/zram@{int} rk,
  @{sys}/devices/virtual/block/zram@{int}/ r,
  @{sys}/devices/virtual/block/zram@{int}/** r,

  # NBD devices
  /dev/nbd* rk,
  @{sys}/devices/virtual/block/nbd@{int}/ r,
  @{sys}/devices/virtual/block/nbd@{int}/** r,

  # Floppy disks
  /dev/fd@{int} rk,
  @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/ r,
  @{sys}/devices/platform/floppy.@{int}/block/fd@{int}/** r,

  # CD-ROM
  /dev/sr@{int} rk,

  # MD RAID devices
  /dev/md@{int} rk,
  @{sys}/devices/virtual/block/md@{int}/ r,
  @{sys}/devices/virtual/block/md@{int}/** r,

  # Lookup block device by major:minor numbers
  # See: https://apparmor.pujol.io/development/internal/#udev-rules

  @{sys}/block/ r,
  @{sys}/class/block/ r,
  @{sys}/class/iscsi_session/ r,
  @{sys}/dev/block/ r,

  @{run}/udev/data/b2:@{int} r,       # for /dev/fd*
  @{run}/udev/data/b7:@{int} r,       # for /dev/loop*
  @{run}/udev/data/b8:@{int} r,       # for /dev/sd*
  @{run}/udev/data/b9:@{int} r,       # for /dev/md*
  @{run}/udev/data/b11:@{int} r,      # for /dev/sr*
  @{run}/udev/data/b43:@{int} r,      # for /dev/nbd*
  @{run}/udev/data/b179:@{int} r,     # for /dev/mmcblk*
  @{run}/udev/data/b230:@{int} r,     # for /dev/zvol*
  @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240
  @{run}/udev/data/b25[0-4]:@{int} r, #                           to 254
  @{run}/udev/data/b259:@{int} r,     # Block Extended Major

  @{run}/udev/data/c189:@{int} r,     # for /dev/bus/usb/**

  @{run}/udev/data/+usb:* r,          # Identifies all USB devices

  include if exists <abstractions/disks-read.d>

# vim:syntax=apparmor
