From d570ff123ed5f7d6a7e26686b1ede7bf6a19f728 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 4 Apr 2021 17:28:12 +0100
Subject: [PATCH] Add arch-audit  & pacdiff.

---
 apparmor.d/groups/pacman/arch-audit | 36 +++++++++++++++++++++++++++
 apparmor.d/groups/pacman/pacdiff    | 38 +++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 apparmor.d/groups/pacman/arch-audit
 create mode 100644 apparmor.d/groups/pacman/pacdiff

diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
new file mode 100644
index 000000000..dbe1dba30
--- /dev/null
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/arch-audit
+profile arch-audit @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+  
+  /etc/arch-audit/settings.toml r,
+
+  /usr/share/terminfo/x/xterm-256color r,
+
+  /var/lib/pacman/local/{,**} r,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/mountinfo r,
+
+  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
+
+  include if exists <local/arch-audit>
+}
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
new file mode 100644
index 000000000..50fe02395
--- /dev/null
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/pacdiff
+profile pacdiff @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability mknod,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/{,ba,da}sh   rix,
+  /{usr/,}bin/cat          rix,
+  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/tput         rix,
+  /{usr/,}bin/locate       rix,
+  /{usr/,}bin/find         rix,
+
+  # packages files
+  / r,
+  /boot/{,**} r,
+  /etc/{,**} r,
+  /opt/{,**} r,
+  /srv/{,**} r,
+  /usr/{,**} r,
+  /var/{,**} r,
+
+  /dev/tty rw,
+
+  include if exists <local/pacdiff>
+}