# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/{low,}ntfs{,-3g}
@{exec_path} += @{bin}/mount.{low,}ntfs{,-3g}
@{att} = /att/ntfs-3g/
profile ntfs-3g /{{,usr/}bin/{low,}ntfs{,-3g},{,usr/}bin/mount.{low,}ntfs{,-3g},{,usr/}bin/mount.{low,}ntfs{,-3g}}  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/attached/consoles>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>

  capability dac_override,
  capability dac_read_search,
  capability mknod,
  capability setgid,
  capability setuid,
  capability sys_admin,

  # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,

  # Allow to mount encrypted partition
  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,

  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver

  umount @{MOUNTDIRS}/,
  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,

  @{exec_path} mr,

  @{bin}/kmod rpx,  # To load the fuse kernel module

  # Mount points
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,

        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/task/@{tid}/status r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/fuse rw,
  /dev/tty@{int} rw,

  include if exists <local/ntfs-3g>
}

# vim:syntax=apparmor
