diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg new file mode 100644 index 000000000..6aa98d84d --- /dev/null +++ b/apparmor.d/groups/pacman/makepkg @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/makepkg +profile makepkg @{exec_path} { + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, + + file, + + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, + + profile gpg { + include + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, + + @{bin}/dirmngr rix, + @{bin}/gpg-agent rix, + @{bin}/gpg-connect-agent rix, + @{lib}/{,gnupg/}scdaemon rix, + + /etc/pacman.d/gnupg/ r, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + + owner @{user_pkg_dirs}/{,**} rw, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw, + owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, + owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists + } + + profile sudo { + include + include + + capability sys_ptrace, + + ptrace read, + + @{bin}/pacman Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 957e521f4..d90daf9ba 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -168,7 +168,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gpg-connect-agent rix, /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, @{HOME}/@{XDG_GPG_DIR}/*.conf r,