# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/makepkg
@{att} = ""
profile makepkg /{,usr/}bin/makepkg flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/path>
  include <abstractions/perl>
  include <abstractions/python>
  include <abstractions/shells>
  include <abstractions/ssl_certs>
  include <abstractions/wutmp>

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  signal send set=winch peer=pacman,
  signal send set=winch peer=pacman//systemctl,

  file,

  @{pager_path}                 px -> child-pager,
  @{bin}/gpg{,2}                cx -> gpg,
  @{bin}/gpgconf                cx -> gpg,
  @{bin}/gpgsm                  cx -> gpg,
  @{bin}/lsb_release            px,
  @{bin}/sudo                   cx -> sudo,

  deny capability sys_ptrace,
  deny ptrace read,

  profile gpg flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>
    include <abstractions/devices-usb>

    network netlink raw,

    @{bin}/gpg{,2} mr,
    @{bin}/gpgconf mr,
    @{bin}/gpgsm   mr,

    @{bin}/dirmngr           rix,
    @{bin}/gpg-agent         rix,
    @{bin}/gpg-connect-agent rix,
    @{lib}/{,gnupg/}scdaemon rix,

    /etc/pacman.d/gnupg/ r,
    /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,

    owner @{user_pkg_dirs}/{,**} rw,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

    owner @{user_cache_dirs}/makepkg/src/*.asc r,

    owner @{tmp}/.git_vtag_tmp@{rand6} rw,
    owner @{tmp}/tmp.@{rand10} rw,

    owner @{run}/user/@{uid}/ r,
    owner @{run}/user/@{uid}/gnupg/ r,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
    owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,

    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/task/@{tid}/comm rw,

    include if exists <local/makepkg_gpg>
  }

  profile sudo flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/sudo>

    capability sys_ptrace,

    ptrace read,

    signal send set=(term winch) peer=pacman,
    signal send set=(term winch) peer=pacman//systemctl,
    signal send set=(term winch) peer=systemd-tty-ask-password-agent,

    @{bin}/pacman px,

    include if exists <local/makepkg_sudo>
  }

  include if exists <local/makepkg>
}

# vim:syntax=apparmor
