apparmor.d/profiles/git

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2020-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{BUILD_DIR} = /media/debuilder/

@{exec_path}  = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += /usr/libexec/git-core/git
@{exec_path} += /usr/libexec/git-core/git-*
@{exec_path} += /usr/libexec/git-core/mergetools/*

profile git @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/ssl_certs>
  include <abstractions/nameservice-strict>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{exec_path} mrix,

  # When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
  # the most similar commands, which it thinks can be used instead. Git binaries are all under
  # /usr/bin/ , so allow only this location.
  /{usr/,}bin/ r,
  deny /{usr/,}sbin/ r,
  deny /usr/local/bin/ r,
  deny /usr/games/ r,
  deny /usr/local/games/ r,

  # These are needed for "git submodule update"
  /{usr/,}bin/basename    rix,
  /{usr/,}bin/sed         rix,
  /{usr/,}bin/gettext.sh  rix,
  /{usr/,}bin/uname       rix,
  /{usr/,}bin/envsubst    rix,
  /{usr/,}bin/gettext     rix,

  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/{,e}grep    rix,

  /{usr/,}bin/pager       rPx -> child-pager,
  /{usr/,}bin/less        rPx -> child-pager,
  /{usr/,}bin/more        rPx -> child-pager,

  /{usr/,}bin/man         rPx,

  # For signing commits
  /{usr/,}bin/gpg         rCx -> gpg,

  # For SSH support
  /{usr/,}bin/ssh         rCx -> ssh,

  # Difftools
  /{usr/,}bin/meld       rPUx,

  /{usr/,}bin/sensible-editor rCx -> editor,
  /{usr/,}bin/vim.*           rCx -> editor,

  owner @{HOME}/.config/git/ rw,
  owner @{HOME}/.config/git/config rw,

  /usr/share/git-core/{,**} r,

  # For diffs
  owner /tmp/git-difftool.*/ rw,
  owner /tmp/git-difftool.*/right/{,**} rw,
  owner /tmp/git-difftool.*/left/{,**} rw,
  owner /tmp/* rw,

  # For git log --show-signature
  owner /tmp/.git_vtag_tmp* rw,

  # For android studio
  owner /tmp/git-commit-msg-.txt rw,

  # For package building
  owner @{HOME}/*/            rw,
  owner @{HOME}/*/**          rwkl -> @{HOME}/*/**,
  owner @{BUILD_DIR}/**       rwkl -> @{BUILD_DIR}/**,
  owner @{BUILD_DIR}/**/bin/*  rCx -> exec,

  /etc/mailname r,


  profile gpg {
    include <abstractions/base>
    include <abstractions/consoles>

    /{usr/,}bin/gpg mr,

    owner @{HOME}/.gnupg/ rw,
    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,

    owner /tmp/.git_vtag_tmp* r,

  }

  profile ssh {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    include <abstractions/openssl>

    network inet dgram,
    network inet6 dgram,
    network inet stream,
    network inet6 stream,

    /{usr/,}bin/ssh mr,

    /etc/ssh/ssh_config.d/{,*} r,
    /etc/ssh/ssh_config r,

    owner @{HOME}/.ssh/* r,
    owner @{HOME}/.ssh/known_hosts rw,

    owner @{PROC}/@{pid}/fd/ r,

    owner /tmp/git@*:[0-9]* rwl -> /tmp/git@*:[0-9]*.*,

  }

  profile exec {
    include <abstractions/base>

    owner @{BUILD_DIR}/**/bin/* mr,

  }

  profile editor {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    /{usr/,}bin/sensible-editor mr,
    /{usr/,}bin/vim.*           mrix,
    /{usr/,}bin/{,ba,da}sh       rix,
    /{usr/,}bin/which            rix,

    owner @{HOME}/.selected_editor r,

    /usr/share/vim/{,**} r,
    /etc/vim/{,**} r,
    owner @{HOME}/.viminfo{,.tmp} rw,

    owner @{HOME}/.fzf/plugin/ r,
    owner @{HOME}/.fzf/plugin/fzf.vim r,

    # The git repository files
    owner @{BUILD_DIR}/ r,
    owner @{BUILD_DIR}/** rw,

  }

  include if exists <local/git>
}
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`# vim:syntax=apparmor`
			`# ------------------------------------------------------------------`
			`#`
update apparmor profiles 2021-01-10 16:35:07 +01:00			`# Copyright (C) 2020-2021 Mikhail Morfikov`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`abi <abi/3.0>,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <tunables/global>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{BUILD_DIR} = /media/debuilder/`

update apparmor profiles 2021-03-21 17:04:10 +01:00			`@{exec_path} = /{usr/,}bin/git`
			`@{exec_path} += /{usr/,}bin/git-*`
			`@{exec_path} += /{usr/,}lib/git-core/git`
			`@{exec_path} += /{usr/,}lib/git-core/git-*`
			`@{exec_path} += /usr/libexec/git-core/git`
			`@{exec_path} += /usr/libexec/git-core/git-*`
			`@{exec_path} += /usr/libexec/git-core/mergetools/*`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`profile git @{exec_path} {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
			`include <abstractions/consoles>`
			`include <abstractions/ssl_certs>`
			`include <abstractions/nameservice-strict>`

			`network inet dgram,`
			`network inet6 dgram,`
			`network inet stream,`
			`network inet6 stream,`

update apparmor profiles 2021-03-21 17:04:10 +01:00			`@{exec_path} mrix,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you`
			`# the most similar commands, which it thinks can be used instead. Git binaries are all under`
			`# /usr/bin/ , so allow only this location.`
			`/{usr/,}bin/ r,`
			`deny /{usr/,}sbin/ r,`
			`deny /usr/local/bin/ r,`
			`deny /usr/games/ r,`
			`deny /usr/local/games/ r,`

			`# These are needed for "git submodule update"`
			`/{usr/,}bin/basename rix,`
			`/{usr/,}bin/sed rix,`
			`/{usr/,}bin/gettext.sh rix,`
			`/{usr/,}bin/uname rix,`
			`/{usr/,}bin/envsubst rix,`
			`/{usr/,}bin/gettext rix,`

update apparmor profiles 2020-12-09 10:30:52 +01:00			`/{usr/,}bin/{,ba,da}sh rix,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`/{usr/,}bin/{,e}grep rix,`

			`/{usr/,}bin/pager rPx -> child-pager,`
			`/{usr/,}bin/less rPx -> child-pager,`
			`/{usr/,}bin/more rPx -> child-pager,`

			`/{usr/,}bin/man rPx,`

			`# For signing commits`
			`/{usr/,}bin/gpg rCx -> gpg,`

			`# For SSH support`
			`/{usr/,}bin/ssh rCx -> ssh,`

			`# Difftools`
			`/{usr/,}bin/meld rPUx,`

update apparmor profiles 2020-09-18 20:05:47 +02:00			`/{usr/,}bin/sensible-editor rCx -> editor,`
			`/{usr/,}bin/vim.* rCx -> editor,`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`owner @{HOME}/.config/git/ rw,`
			`owner @{HOME}/.config/git/config rw,`

			`/usr/share/git-core/{,**} r,`

			`# For diffs`
			`owner /tmp/git-difftool.*/ rw,`
			`owner /tmp/git-difftool./right/{,*} rw,`
			`owner /tmp/git-difftool./left/{,*} rw,`
			`owner /tmp/* rw,`

			`# For git log --show-signature`
			`owner /tmp/.git_vtag_tmp* rw,`

			`# For android studio`
			`owner /tmp/git-commit-msg-.txt rw,`

			`# For package building`
			`owner @{HOME}/*/ rw,`
			`owner @{HOME}//* rwkl -> @{HOME}//*,`
			`owner @{BUILD_DIR}/ rwkl -> @{BUILD_DIR}/,`
			`owner @{BUILD_DIR}/*/bin/ rCx -> exec,`

			`/etc/mailname r,`


			`profile gpg {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
			`include <abstractions/consoles>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`/{usr/,}bin/gpg mr,`

			`owner @{HOME}/.gnupg/ rw,`
			`owner @{HOME}/.gnupg/ rwkl -> @{HOME}/.gnupg/,`

			`owner /tmp/.git_vtag_tmp* r,`

			`}`

			`profile ssh {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
			`include <abstractions/nameservice-strict>`
			`include <abstractions/openssl>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update apparmor profiles 2020-12-18 11:12:55 +01:00			`network inet dgram,`
			`network inet6 dgram,`
			`network inet stream,`
			`network inet6 stream,`

move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`/{usr/,}bin/ssh mr,`

			`/etc/ssh/ssh_config.d/{,*} r,`
			`/etc/ssh/ssh_config r,`

			`owner @{HOME}/.ssh/* r,`
			`owner @{HOME}/.ssh/known_hosts rw,`

			`owner @{PROC}/@{pid}/fd/ r,`

			`owner /tmp/git@:[0-9] rwl -> /tmp/git@:[0-9].*,`

			`}`

			`profile exec {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`owner @{BUILD_DIR}/*/bin/ mr,`

			`}`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`profile editor {`
			`include <abstractions/base>`
			`include <abstractions/nameservice-strict>`
update apparmor profiles 2020-09-18 20:05:47 +02:00
			`/{usr/,}bin/sensible-editor mr,`
			`/{usr/,}bin/vim.* mrix,`
update apparmor profiles 2020-12-09 10:30:52 +01:00			`/{usr/,}bin/{,ba,da}sh rix,`
update apparmor profiles 2020-09-18 20:05:47 +02:00			`/{usr/,}bin/which rix,`

			`owner @{HOME}/.selected_editor r,`

			`/usr/share/vim/{,**} r,`
			`/etc/vim/{,**} r,`
			`owner @{HOME}/.viminfo{,.tmp} rw,`

			`owner @{HOME}/.fzf/plugin/ r,`
			`owner @{HOME}/.fzf/plugin/fzf.vim r,`

			`# The git repository files`
update apparmor profiles 2021-03-21 17:04:10 +01:00			`owner @{BUILD_DIR}/ r,`
			`owner @{BUILD_DIR}/** rw,`
update apparmor profiles 2020-09-18 20:05:47 +02:00
			`}`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include if exists <local/git>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`}`