# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh
profile pacman-hook-perl @{exec_path} {
  include <abstractions/base>

  capability dac_read_search,
  capability mknod,

  @{exec_path} mr,

  @{bin}/perl    rix,
  @{bin}/bash    rix,
  @{bin}/find    rix,
  @{bin}/pacman  rPx,
  @{bin}/sed     rix,

  @{lib}/perl@{int}/{,**} r,

        /dev/tty rw,
        /dev/tty@{int} rw,
  owner /dev/pts/@{int} rw,

  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/pacman-hook-perl>
}

# vim:syntax=apparmor