# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/mount
@{att} = /att/mount/
profile mount /{,usr/}bin/mount  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/attached/consoles>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>

  capability chown,
  capability dac_read_search,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_rawio,

  mount,

  network inet stream,
  network inet6 stream,

  ptrace (read),

  signal (receive) set=(term, kill),

  @{exec_path} mr,

  @{bin}/lowntfs-3g     rpx,
  @{bin}/mount.*        rpx,
  @{bin}/ntfs-3g        rpx,
  @{bin}/sshfs          rpx,
  @{sbin}/mount.*       rpx,

  /etc/fstab r,

  /var/lib/snapd/snaps/*.snap r,

  # Mount points
  @{HOME}/ rw,
  @{HOME}/*/ rw,
  @{HOME}/*/*/ rw,
  @{MOUNTS}/ rw,
  @{MOUNTS}/*/ rw,
  @{MOUNTS}/*/*/ rw,

  # Mount iso/img files
  owner @{user_img_dirs}/{,**} rwk,

        @{run}/ r,
  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rwk,

  /tmp/sanity-squashfs-@{int} rw,
  /tmp/syscheck-squashfs-@{int} rw,

  @{PROC}/@{pid}/mountinfo r,

  # The special /dev/loop-control file can be used to create and destroy loop
  # devices or to find the first available loop device.
  /dev/loop-control rw,

  include if exists <local/mount>
}

# vim:syntax=apparmor
