From 25e2d9d1f4141f0e10008ea6573898415ae1023e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 12 Mar 2023 15:33:21 +0000
Subject: [PATCH] feat(profiles): ensure gpg stays confined.

---
 apparmor.d/groups/gnome/seahorse    | 2 +-
 apparmor.d/groups/gpg/gpgconf       | 2 +-
 apparmor.d/groups/pacman/aurpublish | 2 +-
 apparmor.d/profiles-a-f/browserpass | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse
index cf196be0..1d1072e9 100644
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@@ -39,7 +39,7 @@ profile seahorse @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/gpgconf  rPx,
-  /{usr/,}bin/gpg{,2}  rUx,
+  /{usr/,}bin/gpg{,2}  rPx,
   /{usr/,}bin/gpgsm    rPx,
 
   # freedesktop.org-strict
diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf
index 1ceba233..539f1b85 100644
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@@ -18,7 +18,7 @@ profile gpgconf @{exec_path} {
   @{exec_path} mrix,
 
   /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg{,2}               rPUx,
+  /{usr/,}bin/gpg{,2}           rPx,
   /{usr/,}bin/gpg-agent         rPx,
   /{usr/,}bin/dirmngr           rPx,
   /{usr/,}bin/gpgsm             rPx,
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index b7e444e9..e79ee736 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -20,7 +20,7 @@ profile aurpublish @{exec_path} {
   /{usr/,}bin/date        rix,
   /{usr/,}bin/gettext     rix,
   /{usr/,}bin/git         rPx,
-  /{usr/,}bin/gpg{,2}     rPUx,
+  /{usr/,}bin/gpg{,2}     rPx,
   /{usr/,}bin/grep        rix,
   /{usr/,}bin/makepkg     rix,
   /{usr/,}bin/mkdir       rix,
diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass
index f25a33e0..c7d8028e 100644
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@@ -15,7 +15,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpg{,2} rUx,
+  /{usr/,}bin/gpg{,2} rPx,
 
   owner @{HOME}/.password-store/{,**} r,
   owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,