# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2025 Zane Zakraisek <zz@eng.utah.edu>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{sbin}/mdadm
@{att} = /att/mdadm/
profile mdadm /{,usr/}{,s}bin/mdadm  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/attached/consoles>
  include <abstractions/disks-write>

  capability dac_read_search,
  capability sys_admin,
  capability mknod,
  capability net_admin,

  network netlink raw,

  mqueue (read getattr) type=posix /,

  @{exec_path} mr,

  @{sh_path}       rix,
  @{sbin}/sendmail rpux,

  /etc/{,mdadm/}mdadm.conf     r,
  /etc/{,mdadm/}mdadm.conf.d/* r,

  @{run}/initctl r,
  @{run}/mdadm/* rwk,

  /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,
  /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,

  @{sys}/bus/pci/drivers/*/ r,
  @{sys}/devices/@{pci}/class r,
  @{sys}/devices/@{pci}/device r,
  @{sys}/devices/@{pci}/vendor r,
  @{sys}/devices/virtual/block/md*/** rw,
  @{sys}/module/md_mod/** rw,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/cmdline r,
  @{PROC}/devices r,
  @{PROC}/kcore r,
  @{PROC}/mdstat rw,
  @{PROC}/partitions r,

  /dev/**/ r,
  /dev/.tmp.md.* rw,

  include if exists <local/mdadm>
}

# vim:syntax=apparmor
