# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# This profile is large on purpose:
# - It is required to have a profile for mkosi to allow userns.
# - Mkosi uses a lot of different binaries and scripts inside sandbox.
# - Using the unconfined flag would Pix everything, we do not want that as the
#   transitioned profile would have to account for mkosi paths too.

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi
@{att} = /att/mkosi/
profile mkosi /{{,usr/}bin/mkosi,home/*/.local/share/pipx/venvs/*/bin/mkosi}  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>

  all,
  userns,

  include if exists <local/mkosi>
}

# vim:syntax=apparmor
