From ea97ff6a5f286913419ef1cdad92c2af1958d4c8 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Wed, 14 Feb 2024 16:03:03 -0700 Subject: [PATCH] Mutt and Abook profiles (#288) There are an innumerable number of mutt configurations. This AA profile is intended to work with a stock mutt config. Any customizations should be placed in local/mutt This might be a little annoying because by default mutt saves attachments in the directory that it was started from (most likely ~/), and there is no config option that I'm aware of to set a default download location. A user will either need to manually specify a location (like ~/Downloads) when saving, or allow saving to ~/ in the local override. --- apparmor.d/profiles-a-f/abook | 32 ++++++ apparmor.d/profiles-m-r/mutt | 189 ++++++++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+) create mode 100644 apparmor.d/profiles-a-f/abook create mode 100644 apparmor.d/profiles-m-r/mutt diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook new file mode 100644 index 000000000..65de045a1 --- /dev/null +++ b/apparmor.d/profiles-a-f/abook @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/abook +profile abook @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + # Used for printing + @{bin}/{,ba,da}sh rix, + @{bin}/lp{,r} rPUx, + # Abook has built in support to launch mutt + @{bin}/mutt rPUx, + + /usr/share/terminfo/** r, + + /etc/inputrc r, + + owner @{HOME}/.abook/abookrc r, + owner @{HOME}/.abook/addressbook* rw, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt new file mode 100644 index 000000000..2f0724f34 --- /dev/null +++ b/apparmor.d/profiles-m-r/mutt @@ -0,0 +1,189 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mutt +profile mutt @{exec_path} { + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + # Used to exec programs defined in the mailcap. + # There are countless programs that can be executed from the mailcap. + # This profile includes only the most basic. + @{bin}/{,ba,da}sh rix, + + @{bin}/sendmail rPUx, + @{lib}/sendmail/sendmail rPUx, + @{bin}/ispell rPUx, + @{bin}/abook rPUx, + @{bin}/mutt_dotlock rix, + # Misc mutt scripts + @{lib}/mutt/* rix, + + @{bin}/w3m rCx -> html-renderer, + @{bin}/lynx rCx -> html-renderer, + @{bin}/vim rCx -> editor, + @{bin}/vim.* rCx -> editor, + @{bin}/sensible-editor rCx -> editor, + @{bin}/more rCx -> pager, + @{bin}/less rCx -> pager, + @{bin}/pager rCx -> pager, + @{bin}/gpg{2,} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + @{bin}/pgpewrap rCx -> gpg, + + /usr/share/terminfo/** r, + + # Mutt MIME types search path + /etc/mime.types r, + owner @{HOME}/.mime.types r, + + # Mutt mailcap search path + /etc/{mutt/,}mailcap r, + /usr/etc/mailcap r, + owner @{HOME}/.mailcap r, + + # Mutt config files + /usr/share/mutt/** r, + /etc/{mutt/,}Muttrc r, + /etc/{mutt/,}Muttrc.d/{*,} r, + owner @{HOME}/.mutt/** r, + owner @{HOME}/.muttrc* r, + + # Needed for the edit operation. + owner @{HOME}/ r, + + # User mbox + # Could be a file or dir depending on mbox_type variable + owner /var/{spool/,}mail/* rwlk, + owner @{HOME}/{mbox,postponed,sent}* rwlk, + owner @{HOME}/{mbox,postponed,sent}/ rw, + owner @{HOME}/{mbox,postponed,sent}/** rwlk, + # User maildir + owner @{user_mail_dirs}/ rw, + owner @{user_mail_dirs}/** rwlk -> @{user_mail_dirs}/**, + + # Trusted certificate store + owner @{HOME}/.mutt_certificates rwk, + + # Mutt history file + owner @{HOME}/.mutthistory rwk, + + # Mutt signature file + owner @{HOME}/.signature r, + + # Common location for mail aliases + owner @{HOME}/.mail_aliases r, + + owner @{HOME}/.cache/mutt rwk, + + # Needed to compose a message + owner /{var/,}tmp/.mutt*/ rw, + owner /{var/,}tmp/.mutt*/* lrwk, + owner /{var/,}tmp/mutt* lrwk, + + # Used When viewing attachments + owner /{var/,}tmp/* lrw, + + profile html-renderer { + include + + @{bin}/w3m mrix, + @{bin}/lynx mrix, + + owner @{HOME}/.w3m/* rw, + + owner /{var/,}tmp/mutt* rw, + + include if exists + } + + profile editor { + include + include + + @{bin}/sensible-editor mr, + @{bin}/vim mrix, + @{bin}/vim.* mrix, + @{bin}/{,ba,da}sh rix, + @{bin}/which{,.debianutils} rix, + + /usr/share/vim/{,**} r, + /usr/share/terminfo/** r, + + /etc/vimrc r, + /etc/vim/{,**} r, + + owner @{HOME}/.selected_editor r, + owner @{HOME}/.viminfo{,.tmp} rw, + owner @{HOME}/.vimrc r, + + # Vim swap file + owner @{HOME}/ r, + owner @{HOME}/.cache/ r, + owner @{HOME}/.cache/vim/** wr, + + # This is the file that holds the message + owner /{var/,}tmp/{.,}mutt* rw, + + include if exists + } + + profile pager { + include + include + + /usr/share/terminfo/** r, + /usr/share/file/misc/magic.mgc r, + + @{bin}/less mr, + @{bin}/more mr, + @{bin}/pager mr, + + owner @{HOME}/.lesshs* r, + owner @{HOME}/.local/state/ r, + owner @{HOME}/.local/state/less* rw, + + # This is the file that holds the message + owner /{var/,}tmp/mutt* rw, + + include if exists + } + + profile gpg { + include + include + + @{bin}/gpg{,2} mrix, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + @{bin}/pgpewrap mr, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner /{var/,}tmp/mutt* lrw, + + include if exists + } + + include if exists +}