# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/git @{exec_path} += /{usr/,}bin/git-* @{exec_path} += /{usr/,}lib/git-core/git @{exec_path} += /{usr/,}lib/git-core/git-* @{exec_path} += @{libexec}/git-core/git @{exec_path} += @{libexec}/git-core/git-* @{exec_path} += @{libexec}/git-core/mergetools/* profile git @{exec_path} { include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, signal (send) peer=aurpublish, @{exec_path} mrix, # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you # the most similar commands, which it thinks can be used instead. Git binaries are all under # /usr/bin/ , so allow only this location. /{usr/,}bin/ r, deny /{usr/,}sbin/ r, deny /usr/local/{s,}bin/ r, deny /usr/games/ r, deny /usr/local/games/ r, # These are needed for "git submodule update" /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, /{usr/,}bin/cat rix, /{usr/,}bin/date rix, /{usr/,}bin/dirname rix, /{usr/,}bin/envsubst rix, /{usr/,}bin/gettext rix, /{usr/,}bin/gettext.sh rix, /{usr/,}bin/hostname rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/uname rix, /{usr/,}bin/wc rix, /{usr/,}bin/whoami rix, /{usr/,}bin/pager rPx -> child-pager, /{usr/,}bin/less rPx -> child-pager, /{usr/,}bin/more rPx -> child-pager, /{usr/,}bin/man rPx, /{usr/,}bin/meld rPUx, /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx, /usr/share/aurpublish/*.hook rPx, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/ssh rCx -> ssh, /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, /usr/share/git-core/{,**} r, /usr/share/terminfo/x/xterm-256color r, /etc/mailname r, owner @{user_projects_dirs}/ rw, owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, owner /tmp/** rwkl -> /tmp/**, owner /tmp/**/bin/* rCx -> exec, owner @{HOME}/.gitconfig* r, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, owner /tmp/git-difftool.*/ rw, # For diffs owner /tmp/git-difftool.*/right/{,**} rw, owner /tmp/git-difftool.*/left/{,**} rw, owner /tmp/* rw, owner /tmp/tmp*/ rw, # For TWRP-device-tree-generator owner /tmp/tmp*/** rwkl -> /tmp/tmp*/**, owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature owner /tmp/git-commit-msg-.txt rw, # For android studio deny @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include include /{usr/,}bin/gpg mr, /{usr/,}bin/gpg-agent rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner /tmp/.git_vtag_tmp* r, deny @{user_share_dirs}/gvfs-metadata/* r, } profile ssh { include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, /{usr/,}bin/ssh mr, /etc/ssh/ssh_config.d/{,*} r, /etc/ssh/ssh_config r, owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner /tmp/git@*:[0-9]* rwl -> /tmp/git@*:[0-9]*.*, owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, } profile exec { include owner @{user_build_dirs}/**/bin/* mr, } profile editor { include include /{usr/,}bin/sensible-editor mr, /{usr/,}bin/vim mrix, /{usr/,}bin/vim.* mrix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/which{,.debianutils} rix, /usr/share/vim/{,**} r, /usr/share/terminfo/x/xterm-256color r, /etc/vimrc r, /etc/vim/{,**} r, owner @{user_projects_dirs}/**/ r, owner @{user_projects_dirs}/**/.git/[0-9]* rw, owner @{user_projects_dirs}/**/.git/*MSG rw, owner @{HOME}/.fzf/plugin/ r, owner @{HOME}/.fzf/plugin/fzf.vim r, owner @{HOME}/.selected_editor r, owner @{HOME}/.viminfo{,.tmp} rw, owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} r, # The git repository files owner @{user_build_dirs}/ r, owner @{user_build_dirs}/** rw, } include if exists }