From 2f5637bd6587444f46730b52bcd894dafcbdc606 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 23 Feb 2025 18:16:27 +0100
Subject: [PATCH] feat(profile): improve makepkg.

---
 apparmor.d/groups/pacman/makepkg | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index d5abc07d..b2c043a6 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -28,14 +28,20 @@ profile makepkg @{exec_path} {
 
   file,
 
-  @{bin}/gpg{,2}  Cx -> gpg,
-  @{bin}/gpgconf  Cx -> gpg,
-  @{bin}/gpgsm    Cx -> gpg,
-  @{bin}/sudo     Cx -> sudo,
+  @{bin}/gpg{,2}                Cx -> gpg,
+  @{bin}/gpgconf                Cx -> gpg,
+  @{bin}/gpgsm                  Cx -> gpg,
+  @{bin}/sudo                   Cx -> sudo,
+
+  deny capability sys_ptrace,
+  deny ptrace read,
 
   profile gpg {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/devices-usb>
+
+    network netlink raw,
 
     @{bin}/gpg{,2} mr,
     @{bin}/gpgconf mr,