75 lines
2 KiB
Text
75 lines
2 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2017-2022 Mikhail Morfikov
|
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/gpg{,2}
|
|
profile gpg @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/user-download-strict>
|
|
include <abstractions/user-read-strict>
|
|
|
|
capability dac_read_search,
|
|
|
|
network netlink raw,
|
|
|
|
@{exec_path} mrix,
|
|
|
|
@{bin}/dirmngr rPx,
|
|
@{bin}/gpg-agent rPx,
|
|
@{bin}/gpg-connect-agent rPx,
|
|
@{bin}/gpgconf rPx,
|
|
@{bin}/gpgsm rPx,
|
|
@{lib}/{,gnupg/}scdaemon rPx,
|
|
|
|
/etc/inputrc r,
|
|
|
|
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
|
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
|
|
|
owner @{HOME}/.var/app/**/gnupg*/** rw,
|
|
owner @{HOME}/.var/app/**/gnupg*/** rwkl -> @{HOME}/.var/app/**/gnupg*/**,
|
|
|
|
owner @{user_projects_dirs}/**/gnupg/ rw,
|
|
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
|
|
|
|
#aa:only apt
|
|
owner /etc/apt/keyrings/ rw,
|
|
owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
|
|
|
|
#aa:only pacman
|
|
/etc/pacman.d/gnupg/gpg.conf r,
|
|
/etc/pacman.d/gnupg/pubring.gpg r,
|
|
/etc/pacman.d/gnupg/trustdb.gpg r,
|
|
|
|
owner /var/lib/*/gnupg/ rw,
|
|
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
|
|
|
|
owner /var/lib/*/.gnupg/ rw,
|
|
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
|
|
|
|
# TODO: Remove after zypper profile is created
|
|
#aa:only zypper
|
|
owner /var/tmp/zypp.@{rand6}/ rw,
|
|
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
|
|
|
|
#aa:exclude ubuntu
|
|
owner @{tmp}/ostree-gpg-@{rand6}/ r,
|
|
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
|
|
|
|
owner /tmp/@{int}@{int} rw,
|
|
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
|
owner @{PROC}/@{pid}/task/@{tid}/stat rw,
|
|
|
|
include if exists <local/gpg>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|