From 8153927d4cd77608970daef534f01489c6bba655 Mon Sep 17 00:00:00 2001
From: npwc <51269503+npwc@users.noreply.github.com>
Date: Tue, 16 Jan 2024 03:45:56 +0000
Subject: [PATCH] Create profile for secure-time-sync

Related to https://gitlab.com/madaidan/secure-time-sync
---
 apparmor.d/profiles-s-z/secure-time-sync | 38 ++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/secure-time-sync

diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync
new file mode 100644
index 000000000..173e279d0
--- /dev/null
+++ b/apparmor.d/profiles-s-z/secure-time-sync
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/{,local/}bin/secure-time-sync
+profile secure-time-sync @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/bash>
+
+  capability sys_time,
+
+  network raw dgram,
+  network inet dgram,
+  network inet6 dgram,
+
+  owner /dev/tty rw,
+
+  owner /etc/ca-certificates/** r,
+  owner /etc/ssl/** r,
+
+  owner /etc/host.conf r,
+  owner /etc/hosts r,
+  owner /etc/nsswitch.conf r,
+  owner /etc/passwd r,
+  owner /etc/resolv.conf r,
+  owner /etc/gai.conf r,
+
+  /usr/bin/bash ix,
+  /usr/bin/curl mrix,
+  /usr/bin/date mrix,
+  /usr/bin/grep mrix,
+  /usr/bin/id mrix,
+  /usr/bin/sed mrix,
+  @{exec_path} r,
+}