From 7a1c462a5e9fa15d16fd410cc78a2b8fe60ffd6c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 7 Oct 2021 14:53:28 +0100
Subject: [PATCH] pass-extension-python -> pass-import.

---
 apparmor.d/profiles-m-r/pass-extension-python | 29 ---------------
 apparmor.d/profiles-m-r/pass-import           | 36 +++++++++++++++++++
 profiles.flags                                |  2 +-
 3 files changed, 37 insertions(+), 30 deletions(-)
 delete mode 100644 apparmor.d/profiles-m-r/pass-extension-python
 create mode 100644 apparmor.d/profiles-m-r/pass-import

diff --git a/apparmor.d/profiles-m-r/pass-extension-python b/apparmor.d/profiles-m-r/pass-extension-python
deleted file mode 100644
index 13d4c7e2..00000000
--- a/apparmor.d/profiles-m-r/pass-extension-python
+++ /dev/null
@@ -1,29 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Confine python based password-store extension. Note: This profile does not
-# specify an attachment path because it is intended to be used only via 
-# "Px -> pass-extension-python" exec transitions from the pass profile.
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pass-extension-python {
-  include <abstractions/base>
-  include <abstractions/python>
-  include <abstractions/openssl>
-
-  /{usr/,}bin/               r,
-  /{usr/,}bin/pass           rPx,
-  /{usr/,}bin/python3.[0-9]* rix,
-
-  /usr/share/file/misc/magic.mgc r,
-
-  /tmp/* rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-
-  include if exists <local/pass-extension-python>
-}
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import
new file mode 100644
index 00000000..687be974
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pass-import
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/pimport
+profile pass-import @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/openssl>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/                 r,
+  /{usr/,}bin/pass             rPx,
+  /{usr/,}{s,}bin/ldconfig     rix,
+  /{usr/,}bin/gcc              rix,
+  /{usr/,}bin/ld               rix,
+  /{usr/,}bin/python3.[0-9]*   rix,
+  /{usr/,}lib/gcc/**/collect2  rix,
+
+  /usr/share/file/misc/magic.mgc r,
+
+  owner @{HOME}/.password-store/{,**} rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
+  owner @{user_config_dirs}/password-store/{,**} rw,
+
+  owner /tmp/[a-zA-Z0-9]* rw,
+
+  @{PROC}/@{pids}/fd/ r,
+
+  include if exists <local/pass-import>
+}
\ No newline at end of file
diff --git a/profiles.flags b/profiles.flags
index c051396f..4d5bb217 100644
--- a/profiles.flags
+++ b/profiles.flags
@@ -116,7 +116,7 @@ pacman-hook-perl complain
 pacman-hook-systemd complain
 pacman-key complain
 pass complain
-pass-extension-python complain
+pass-import complain
 pinentry-gtk-2 complain
 pipewire complain
 pipewire-media-session complain