From 07928318d4c487b98c98b30866bd63c398e359dc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 00:06:46 +0100
Subject: [PATCH] feat(profile): add tomb.

---
 apparmor.d/profiles-s-z/tomb | 132 +++++++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/tomb

diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb
new file mode 100644
index 00000000..44a34595
--- /dev/null
+++ b/apparmor.d/profiles-s-z/tomb
@@ -0,0 +1,132 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/tomb
+profile tomb @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/zsh>
+
+  capability chown,
+  capability fowner,
+  capability sys_ptrace,
+  capability sys_rawio,
+
+  signal send set=cont peer=gpg,
+
+  ptrace read peer=@{p_systemd_user},
+
+  @{exec_path} mr,
+
+  @{bin}/{,e,f}grep  rix,
+  @{bin}/awk         rix,
+  @{bin}/basename    rix,
+  @{bin}/cat         rix,
+  @{bin}/chmod       rix,
+  @{bin}/chown       rix,
+  @{bin}/cp          rix,
+  @{bin}/date        rix,
+  @{bin}/dcfldd      rix,
+  @{bin}/dd          rix,
+  @{bin}/df          rix,
+  @{bin}/dirname     rix,
+  @{bin}/env         rix,
+  @{bin}/file        rix,
+  @{bin}/findmnt     rix,
+  @{bin}/gawk        rix,
+  @{bin}/getent      rix,
+  @{bin}/gettext     rix,
+  @{bin}/hostname    rix,
+  @{bin}/id          rix,
+  @{bin}/kill        rix,
+  @{bin}/locate      rix,
+  @{bin}/losetup     rix,
+  @{bin}/ls          rix,
+  @{bin}/lsof        rix,
+  @{bin}/mkdir       rix,
+  @{bin}/mktemp      rix,
+  @{bin}/realpath    rix,
+  @{bin}/recoll      rix,
+  @{bin}/rm          rix,
+  @{bin}/rmdir       rix,
+  @{bin}/sha*sum     rix,
+  @{bin}/shred       rix,
+  @{bin}/sleep       rix,
+  @{bin}/stat        rix,
+  @{bin}/sudo        rix,
+  @{bin}/touch       rix,
+  @{bin}/tr          rix,
+  @{bin}/zsh         rix,
+
+  @{bin}/btrfs             rPx,
+  @{bin}/cryptsetup        rPUx,
+  @{bin}/e2fsc             rPUx,
+  @{bin}/fsck              rPx,
+  @{bin}/gpg{,2}           rPx,
+  @{bin}/lsblk             rPx,
+  @{bin}/mkfs.*            rPUx,
+  @{bin}/mount             rPx,
+  @{bin}/pinentry          rPx,
+  @{bin}/pinentry-*        rPx,
+  @{bin}/qrencode          rPx,
+  @{bin}/resize2fs         rPx,
+  @{bin}/tomb-kdb-pbkdf2   rPUx,
+  @{bin}/tune2fs           rPx,
+  @{bin}/umount            rCx -> umount,
+  @{bin}/updatedb.mlocate  rPx,
+  @{bin}/zramctl           rPx,
+
+  /usr/share/file/** r,
+  /usr/share/terminfo/** r,
+
+        @{MOUNTDIRS}/ rw,
+        @{MOUNTS}/ rw,
+        @{MOUNTS}/** w,
+        @{MOUNTS}/**/ rw,
+  owner @{MOUNTS}/.{host,last,tty,uid,cleanexit} rw,
+
+  # TODO: access to tomb files and key.
+  @{user_private_dirs}/**/*tomb* rw,
+
+        /tmp/ r,
+  owner @{tmp}/@{int} rw,
+  owner @{tmp}/@{int}@{int} rw,
+  owner @{tmp}/zsh@{rand6} rw,
+  owner @{tmp}/zshm@{rand6} rw,
+
+  @{sys}/devices/virtual/block/zram@{int}/backing_dev r,
+
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  /dev/loop-control rw,
+  /dev/loop@{int} rw,
+
+  profile umount {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability sys_admin,
+
+    umount @{MOUNTS}/{,*/},
+
+    @{bin}/umount mr,
+
+    owner @{run}/mount/utab r,
+
+    include if exists <local/tomb_umount>
+  }
+
+  include if exists <local/tomb>
+}
+
+# vim:syntax=apparmor