# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/mount.zfs
@{att} = ""
profile mount-zfs /{,usr/}bin/mount.zfs flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability sys_admin,  # To mount anything.

  @{exec_path} mr,

  /dev/pts/@{int} rw,

  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,

  mount fstype=zfs -> @{MOUNTDIRS}/,
  mount fstype=zfs -> @{MOUNTS}/,
  mount fstype=zfs -> @{MOUNTS}/*/,
  mount fstype=zfs -> /,
  mount fstype=zfs -> /**/,
  mount fstype=zfs -> /tmp/zfsmnt.*/,
  mount fstype=zfs -> /tmp/zfsmnt.*/*/,

  umount @{MOUNTDIRS}/,
  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
  umount /,
  umount /*/,
  umount /tmp/zfsmnt.*/,
  umount /tmp/zfsmnt.*/*/,

  @{PROC}/@{pids}/mounts r,

  /dev/zfs rw,

  include if exists <local/mount-zfs>
}

# vim:syntax=apparmor
