diff --git a/apparmor.d/groups/pacman/pacman-hook-paccache b/apparmor.d/groups/pacman/pacman-hook-paccache new file mode 100644 index 000000000..5725751ff --- /dev/null +++ b/apparmor.d/groups/pacman/pacman-hook-paccache @@ -0,0 +1,149 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile pacman//null-@{bin}/paccache//null-@{bin}/date { + @{bin}/date r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/find { + @{bin}/find r, + @{lib}/gconv/gconv-modules.cache r, + + /var/cache/pacman/pkg/ r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacman-conf { + @{bin}/pacman-conf r, + + /etc/pacman.conf r, + /etc/pacman.d/ r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacsort { + @{bin}/pacsort r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/gawk { + @{bin}/gawk r, + @{lib}/gconv/gconv-modules.cache r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgconf { + @{bin}/gpgconf r, + + /dev/pts/2 rw, # file_inherit +} + +# vim:syntax=apparmor + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpg { + @{bin}/gpg r, + + /etc/pacman.d/ r, + /etc/pacman.d/gnupg/ r, + /etc/pacman.d/gnupg/gpg.conf r, + /etc/pacman.d/gnupg/pubring.gpg r, + /etc/pacman.d/gnupg/trustdb.gpg rw, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman { + @{bin}/paccache ix -> pacman//null-@{bin}/paccache, +} + +profile pacman//null-@{bin}/paccache { + @{sh_path} r, + @{bin}/date ix -> pacman//null-@{bin}/paccache//null-@{bin}/date, + @{bin}/date r, + @{bin}/find ix -> pacman//null-@{bin}/paccache//null-@{bin}/find, + @{bin}/find r, + @{bin}/gawk ix -> pacman//null-@{bin}/paccache//null-@{bin}/gawk, + @{bin}/gawk r, + @{bin}/paccache r, + @{bin}/pacman ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman, + @{bin}/pacman r, + @{bin}/pacman-conf ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman-conf, + @{bin}/pacman-conf r, + @{bin}/pacsort ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacsort, + @{bin}/pacsort r, + @{lib}/gconv/gconv-modules.cache r, + + / r, + + /usr/share/makepkg/util/message.sh r, + /usr/share/makepkg/util/parseopts.sh r, + + /var/ r, + /var/cache/ r, + /var/cache/pacman/ r, + /var/cache/pacman/pkg/ r, + + /dev/pts/2 rw, # file_inherit + /dev/tty rw, +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacman { + @{bin}/gpg ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpg, + @{bin}/gpgconf ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgconf, + @{bin}/gpgsm ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgsm, + @{bin}/pacman r, + @{lib}/gconv/gconv-modules.cache r, + + / r, + + /etc/pacman.conf r, + /etc/pacman.d/ r, + /etc/ssl/openssl.cnf r, + + /var/lib/pacman/local/ r, + /var/lib/pacman/local/ r, + /var/lib/pacman/sync/ r, + + /dev/pts/2 rw, # file_inherit +} + +profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgsm { + @{bin}/gpgsm r, + + /dev/pts/2 rw, # file_inherit +} + +profile paccache//null-@{bin}/find { + @{bin}/find r, + @{lib}/gconv/gconv-modules.cache r, + + /var/cache/pacman/pkg/ r, + + /dev/pts/2 rw, # file_inherit +} + +profile paccache { + @{bin}/date ix -> paccache//null-@{bin}/date, + @{bin}/find ix -> paccache//null-@{bin}/find, + + /dev/pts/2 rw, # file_inherit +} + +profile paccache//null-@{bin}/date { + @{bin}/date r, + + /dev/pts/2 rw, # file_inherit +} + +# vim:syntax=apparmor