# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{lib_dirs} = @{lib}/git/ @{lib}/git-core/
@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}

@{exec_path}  = @{bin}/git @{bin}/git-*
@{exec_path} += @{lib_dirs}/git @{lib_dirs}/git-* @{lib_dirs}/mergetools/*
profile git @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  signal send peer=aurpublish,

  @{exec_path} mrix,

  # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
  # the most similar commands, which it thinks can be used instead. Git binaries are all under
  # /usr/bin/ , so allow only this location.
  @{bin}/ r,
  deny @{bin}/*/ r,
  deny /usr/games/ r,
  deny /usr/local/{s,}bin/ r,
  deny /usr/local/games/ r,
  deny /var/lib/flatpak/exports/bin/ r,
  deny owner @{HOME}/.go/bin/ r,
  deny owner @{user_bin_dirs}/ r,

  # These are needed for "git submodule update"
  @{sh_path}         rix,
  @{bin}/{,e}grep    rix,
  @{bin}/alts        rix,
  @{bin}/basename    rix,
  @{bin}/cat         rix,
  @{bin}/date        rix,
  @{bin}/dirname     rix,
  @{bin}/envsubst    rix,
  @{bin}/gettext     rix,
  @{bin}/gettext.sh  rix,
  @{bin}/hostname    rix,
  @{bin}/mkdir       rix,
  @{bin}/mv          rix,
  @{bin}/rm          rix,
  @{bin}/sed         rix,
  @{bin}/tar         rix,
  @{bin}/true        rix,
  @{bin}/uname       rix,
  @{bin}/wc          rix,
  @{bin}/whoami      rix,

  @{pager_path}      rPx -> child-pager,

  @{bin}/man         rPx,
  @{bin}/meld       rPUx,
  @{lib}/code/extensions/git/dist/askpass.sh     rPx,
  @{lib}/code/extensions/git/dist/git-editor.sh  rPx,
  /usr/share/aurpublish/*.hook                   rPx,

  @{bin}/gpg{,2}         rCx -> gpg,
  @{bin}/ssh             rCx -> ssh,
  @{editor_path}         rCx -> editor,

  /usr/share/git{,-core}/{,**} r,
  /usr/share/libalternatives/{,**} r,
  /usr/share/terminfo/** r,

  /etc/gitconfig r,
  /etc/mailname r,

  owner @{user_projects_dirs}/   rw,
  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
  owner @{user_projects_dirs}/**/.git/hooks/* rix,

  owner @{user_cache_dirs}/*/ rw,
  owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,

  owner @{HOME}/.gitconfig* rw,
  owner @{HOME}/.netrc r,
  owner @{user_config_dirs}/git/{,*} rw,

  owner @{tmp}/.git_vtag_tmp@{rand6} rw,       # For git log --show-signature
  owner @{tmp}/git-commit-msg-.txt rw,         # For android studio
  owner @{tmp}/git-difftool.*/{,**} rw,        # For diffs

  deny owner @{code_config_dirs}/** rw,
  deny owner @{user_share_dirs}/gvfs-metadata/* r,
  deny owner @{user_share_dirs}/vulkan/** r,
  deny owner @{user_share_dirs}/zed/**/data.mdb rw,
  deny /usr/share/nvidia/nvidia-application-profiles-* r,
  deny /dev/shm/.org.chromium.Chromium.@{rand6} rw,

  profile gpg flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/consoles>

    @{bin}/gpg{,2}     mr,
    @{bin}/gpg-agent  rPx,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

    owner @{tmp}/.git_vtag_tmp@{rand6} r,

    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/git_gpg>
  }

  profile ssh flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    network inet dgram,
    network inet6 dgram,
    network inet stream,
    network inet6 stream,
    network netlink raw,

    @{bin}/ssh mr,

    @{etc_ro}/ssh/ssh_config.d/{,*} r,
    @{etc_ro}/ssh/ssh_config r,

    owner @{HOME}/@{XDG_SSH_DIR}/* r,
    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
    owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,

    owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
    owner @{tmp}/ssh-*/agent.@{int} rw,

    owner @{PROC}/@{pid}/fd/ r,

    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/git_ssh>
  }

  profile exec flags=(attach_disconnected) {
    include <abstractions/base>

    owner @{user_build_dirs}/**/bin/* mr,

    include if exists <local/git_exec>
  }

  profile editor flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/editor>

    owner @{user_projects_dirs}/**/ r,
    owner @{user_projects_dirs}/**/.git/@{int} rw,
    owner @{user_projects_dirs}/**/.git/*MSG rw,

    # The git repository files
    owner @{user_build_dirs}/ r,
    owner @{user_build_dirs}/** rw,

    include if exists <local/git_editor>
  }

  include if exists <local/git>
}

# vim:syntax=apparmor