# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{ANDROID_SOURCE_DIR} = @{MOUNTS}/Android/ @{exec_path} = /{usr/,}bin/repo profile repo @{exec_path} { include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @{exec_path} r, /{usr/,}bin/python3.[0-9]* rix, /{usr/,}bin/ r, /{usr/,}bin/env rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/uname rix, /{usr/,}bin/git rix, /{usr/,}lib/git-core/git rix, /{usr/,}lib/git-core/git-* rix, /{usr/,}bin/curl rCx -> curl, /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/ssh rPx, # Android source dir owner @{ANDROID_SOURCE_DIR}/** rwkl -> @{ANDROID_SOURCE_DIR}/**, owner @{ANDROID_SOURCE_DIR}/**/.repo/repo/main.py rix, owner @{HOME}/.repoconfig/{,**} rw, owner @{HOME}/.repo_.gitconfig.json rw, owner @{user_config_dirs}/git/config rw, owner @{HOME}/.gitconfig rw, owner @{HOME}/.gitconfig.lock rwk, /usr/share/git-core/{,**} r, owner /tmp/.git_vtag_tmp* rw, owner /tmp/ssh-*/ rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner /dev/shm/* rw, owner /dev/shm/sem.mp* rwl -> /dev/shm/*, # Silencer deny /etc/.repo_gitconfig.json w, profile curl { include include include include /{usr/,}bin/curl mr, } profile gpg { include /{usr/,}bin/gpg mr, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/.repoconfig/gnupg/** rwkl -> @{HOME}/.repoconfig/gnupg/**, owner /tmp/.git_vtag_tmp* r, } include if exists }