From 0cc9bb9d6c28a94541ecca0229ddd4c396231602 Mon Sep 17 00:00:00 2001
From: doublez13 <zakraise@eng.utah.edu>
Date: Fri, 2 Feb 2024 09:24:15 -0700
Subject: [PATCH] Mutt AppArmor Profile

AppArmor profile for mutt.

There are an innumerable number of mutt configurations. This AA profile is intended to work with a stock mutt config. Any customizations should be placed in local/mutt
---
 apparmor.d/profiles-m-r/mutt | 178 +++++++++++++++++++++++++++++++++++
 1 file changed, 178 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/mutt

diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
new file mode 100644
index 000000000..ef51ad409
--- /dev/null
+++ b/apparmor.d/profiles-m-r/mutt
@@ -0,0 +1,178 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Zane Zakraisek <zz@eng.utah.edu>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/mutt
+profile mutt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  # Mutt config files
+  /usr/{local/,}share/mutt/Muttrc r,
+  /etc/{mutt/,}Muttrc             r,
+  owner @{HOME}/.mutt/**          r,
+  owner @{HOME}/.muttrc*          r,
+
+  owner @{HOME}/.cache/mutt rwk,
+
+  # Used when saving attachments. Mutt saves attachments in whatever directory
+  # it's launched from, which is most likely @{HOME}.
+  owner @{HOME}/*           lw,
+  owner @{HOME}/.mutt*/     w,
+  owner @{HOME}/.mutt*/*    w,
+  owner @{HOME}/Downloads/* lw,
+  # Used When viewing attachments
+  owner /tmp/*              lrw,
+  # Allow uploading attachments from Public
+  owner @{HOME}/Public/*    r,
+
+  #Needed to open a mailbox (at least an imap one)
+  owner /tmp/.mutt*/  rw,
+  owner /tmp/.mutt*/* lrwk,
+
+  # Might be able to get away without this
+  owner /tmp/mutt* lrwk,
+
+  # Needed for the edit operation.
+  @{HOME} r,
+
+  # User mbox
+  owner /var/{spool/,}mail/* rwk,
+  owner @{HOME}/postponed    rwk,
+  owner @{HOME}/sent         rwk,
+  # User maildir
+  owner @{HOME}/{M,m}ail/    rw,
+  owner @{HOME}/{M,m}ail/**  rwk, 
+
+  # Trusted certificate store
+  owner @{HOME}/.mutt_certificates rwk,
+  
+  # Mutt history file
+  owner @{HOME}/.mutthistory rwk,
+  
+  # Mutt signature file
+  owner @{HOME}/.signature r,
+
+  # Common location for mail aliases
+  owner @{HOME}/.mail_aliases r,
+  
+  /usr/share/terminfo/** r,
+
+  /etc/mime.types r,
+ 
+  # Mutt mailcap search path
+  owner @{HOME}/.mailcap    r,
+  /usr/share/mutt/mailcap   r,
+  /etc/{mutt/,}mailcap      r,
+  /usr/{local/,}etc/mailcap r,
+
+  # Used to exec programs defined in the mailcap.
+  # There are countless programs that can be executed from the mailcap.
+  # This profile includes only the most basic.
+  /{usr/,}bin/{,ba,da}sh  rix,
+ 
+  /{usr/,}{s,}bin/sendmail rPUx, 
+  /{usr/,}bin/ispell       rPUx, 
+  # TODO: Add a profile for abook (Most distros don't ship this anymore though)
+  /{usr/,}bin/abook        rPUx, 
+ 
+  /{usr/,}bin/w3m             rCx -> html-renderer,
+  /{usr/,}bin/lynx            rCx -> html-renderer,
+  /{usr/,}bin/vim             rCx -> editor,
+  /{usr/,}bin/sensible-editor rCx -> editor,
+  /{usr/,}bin/more            rCx -> pager,
+  /{usr/,}bin/less            rCx -> pager,
+  /{usr/,}bin/pager           rCx -> pager,
+  /{usr/,}bin/gpg{2,}         rCx -> gpg, 
+  /{usr/,}bin/pgpewrap        rCx -> gpg,
+  
+
+  profile html-renderer {
+    include <abstractions/base>
+
+    /{usr/,}bin/w3m     mrix,
+    /{usr/,}bin/lynx    mrix,
+    
+    owner @{HOME}/.w3m/* rw,
+
+    owner /tmp/mutt* rw,
+
+    include if exists <local/mutt_html-renderer>
+  }
+
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    /{usr/,}bin/sensible-editor        mr,
+    /{usr/,}bin/vim                  mrix,
+    /{usr/,}bin/vim.*                mrix,
+    /{usr/,}bin/{,ba,da}sh            rix,
+    /{usr/,}bin/which{,.debianutils}  rix,
+
+    /usr/share/vim/{,**} r,
+    /usr/share/terminfo/** r,
+
+    /etc/vimrc r,
+    /etc/vim/{,**} r,
+
+    owner @{HOME}/.selected_editor r,
+    owner @{HOME}/.viminfo{,.tmp} rw,
+    owner @{HOME}/.vimrc r,
+  
+    # Vim swap file 
+    owner @{HOME}/ r,
+    owner @{HOME}/.cache/ r,
+    owner @{HOME}/.cache/vim/** wr,
+   
+    # This is the file that holds the message
+    owner /tmp/mutt* rw,
+
+    include if exists <local/mutt_editor>
+  }
+  
+  profile pager {
+    include <abstractions/base>
+    include <abstractions/consoles>
+  
+    /{usr/,}bin/less mrix,
+    /{usr/,}bin/more mrix,
+    
+    owner @{HOME}/.lesshsQ r,
+    owner @{HOME}/.local/state/ r,
+    owner @{HOME}/.local/state/less* rw,
+
+    /usr/share/terminfo/x/xterm-256color r,
+    /usr/share/file/misc/magic.mgc r,
+  
+    # This is the file that holds the message
+    owner /tmp/mutt* rw,
+
+    include if exists <local/mutt_pager>
+  }
+
+  profile gpg {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    /{usr/,}bin/gpg{,2}  mrix,
+    /{usr/,}bin/pgpewrap mr,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+  
+    owner /tmp/mutt* lrw,
+    
+    include if exists <local/mutt_gpg>
+  }
+
+  include if exists <local/mutt>
+}