# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
profile zpool @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>

  capability sys_admin,

  @{exec_path} mr,

  @{sh_path}        rix,
  /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,

  /etc/hostid r,
  /etc/zfs/*.cache rwk,

  @{run}/blkid/blkid.tab rw,
  @{run}/blkid/blkid.tab.old rwl,
  @{run}/blkid/blkid.tab-@{rand6} rwl,

  /tmp/tmp.* rw,

  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}/address r,

  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/sys/kernel/spl/hostid r,

  /dev/pts/@{int} rw,
  /dev/zfs rw,

  include if exists <local/zpool>
}