# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/ioping
@{att} = ""
profile ioping /{,usr/}bin/ioping flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/disks-read>

  # For pinging other users files as root.
  capability dac_read_search,
  capability dac_override,

  @{exec_path} mr,

  owner @{PROC}/@{pid}/mountinfo r,

  # The RW set on dirs means that the dirs can be pinged, which is safe write operation. In the
  # case of files, this write operation can damage files, so we allow only to read the files. When
  # pinging dirs, a file similar to "#1573619" is created in that dir, so it's allowed as well.
  / rw,
  /#@{int} rw,
  /**/ rw,
  /**/#@{int} rw,

  # Allow pinging files, but without write operation. Like in the case of dirs, when pinging dirs
  # there's also created the file similar to "#1573619" .
  /usr/**   r,
  /lib/**   r,
  /bin/*    r,
  /sbin/*   r,
  /etc/**   r,
  @{efi}/**  r,
  /opt/**   r,
  /var/**   r,
  @{MOUNTS}/** r,
  /tmp/**   r,
  /home/**  r,

  # This was created when ioping was used on an external SD card.
  /**/ioping.tmp.* w,

  include if exists <local/ioping>
}

# vim:syntax=apparmor
