# apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{lib}/{,udisks2/}udisksd profile udisksd @{exec_path} flags=(attach_disconnected) { include include include include include include capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability net_admin, capability setgid, capability setuid, capability sys_admin, capability sys_nice, capability sys_rawio, network netlink raw, # Allow mounting of removable devices mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, mount fstype={iso9660,udf,ntfs3} /dev/sr[0-9]* -> @{MOUNTS}/*/, # Allow mounting od sd cards mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9] -> @{MOUNTS}/*/, mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, # Allow unmounting umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, umount /media/cdrom@{int}/, signal (receive) set=(int) peer=@{systemd}, # dbus: own bus=system name=org.freedesktop.UDisks2 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} peer=(name=org.freedesktop.DBus, label=dbus-system), @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, @{bin}/dmidecode rPx, @{bin}/dumpe2fs rPx, @{bin}/eject rPx, @{bin}/fsck.fat rPx, @{bin}/lvm rPUx, @{bin}/mke2fs rPx, @{bin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, @{bin}/sfdisk rPx, @{bin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, /etc/udisks2/{,**} r, /etc/libblockdev/{,**} r, /etc/fstab r, /etc/crypttab r, /var/lib/udisks2/{,**} r, /var/lib/udisks2/mounted-fs{,*} rw, # Be able to create/delete dirs for removable media @{MOUNTDIRS}/ rw, @{MOUNTS}/ rw, @{MOUNTS}/*/ rw, @{run}/ r, @{run}/mount/utab{,.*} rw, @{run}/mount/utab.lock rwk, @{run}/udisks2/{,**} rw, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/nvme-subsystem/{,**} r, @{sys}/fs/ r, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/swaps r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, /dev/loop-control rw, /dev/null.@{int} rw, profile systemctl { include include include if exists } include if exists }