# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/dirmngr
@{att} = ""
profile dirmngr /{,usr/}bin/dirmngr flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  /usr/share/gnupg/sks-keyservers.netCA.pem r,

  owner @{HOME}/@{XDG_GPG_DIR}/ rw,
  owner @{HOME}/@{XDG_GPG_DIR}/dirmngr.conf r,
  owner @{HOME}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r,
  owner @{HOME}/@{XDG_GPG_DIR}/crls.d/ rw,
  owner @{HOME}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw,

  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr.conf r,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/dirmngr_ldapservers.conf r,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/ rw,
  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/crls.d/DIR.txt rw,

  owner @{run}/user/@{uid}/gnupg/ rw,
  owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
  owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw,

  # FIXME: Needed by dirmngr@.service
  owner /etc/pacman.d/gnupg/ rw,
  owner /etc/pacman.d/gnupg/S.dirmngr rw,
  owner /etc/pacman.d/gnupg/d.*/S.dirmngr rw,
  owner /etc/pacman.d/gnupg/crls.d/ rw,
  owner /etc/pacman.d/gnupg/crls.d/DIR.txt rw,

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  include if exists <local/dirmngr>
}

# vim:syntax=apparmor
