From 8334473902724f99fde671db9b6370cf6238197a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 26 Sep 2021 18:16:21 +0100
Subject: [PATCH] Add password-store profiles.

---
 apparmor.d/profiles-m-r/pass                  | 94 +++++++++++++++++++
 apparmor.d/profiles-m-r/pass-extension-python | 28 ++++++
 profiles.flags                                |  2 +
 3 files changed, 124 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/pass
 create mode 100644 apparmor.d/profiles-m-r/pass-extension-python

diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
new file mode 100644
index 00000000..90990b69
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pass
@@ -0,0 +1,94 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/pass
+profile pass @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/base64    rix,
+  /{usr/,}bin/bash      rix,
+  /{usr/,}bin/cat       rix,
+  /{usr/,}bin/cp        rix,
+  /{usr/,}bin/diff      rix,
+  /{usr/,}bin/dirname   rix,
+  /{usr/,}bin/env       rix,
+  /{usr/,}bin/find      rix,
+  /{usr/,}bin/getopt    rix,
+  /{usr/,}bin/grep      rix,
+  /{usr/,}bin/head      rix,
+  /{usr/,}bin/mkdir     rix,
+  /{usr/,}bin/mktemp    rix,
+  /{usr/,}bin/mv        rix,
+  /{usr/,}bin/pkill     rix,
+  /{usr/,}bin/rm        rix,
+  /{usr/,}bin/rmdir     rix,
+  /{usr/,}bin/sed       rix,
+  /{usr/,}bin/shred     rix,
+  /{usr/,}bin/sleep     rix,
+  /{usr/,}bin/sort      rix,
+  /{usr/,}bin/tail      rix,
+  /{usr/,}bin/touch     rix,
+  /{usr/,}bin/tr        rix,
+  /{usr/,}bin/tree      rix,
+  /{usr/,}bin/tty       rix,
+  /{usr/,}bin/which     rix,
+
+  /{usr/,}bin/git             rPx,
+  /{usr/,}bin/gpg{2,}         rUx,
+  /{usr/,}bin/vim             rCx -> editor,
+  /{usr/,}bin/wl-{copy,paste} rPx,
+  /{usr/,}bin/xclip           rPx,
+
+  # Pass extensions
+  /{usr/,}bin/oathtool       rix,   # pass-otp
+  /{usr/,}bin/python3.[0-9]* rPx -> pass-extension-python,  # pass-import, pass-audit
+  /{usr/,}bin/qrencode       rPUx,  # pass-otp
+  /{usr/,}bin/tomb           rPUx,  # pass-tomb
+
+  /usr/share/terminfo/x/xterm-256color r,
+
+  owner @{HOME}/.password-store/{,**} rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
+  owner @{user_config_dirs}/password-store/{,**} rw,
+  owner /dev/shm/pass.*/{,*} rw,
+
+  owner @{PROC}/@{pids}/cmdline r,
+        @{PROC}/ r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/uptime r,
+
+  /dev/tty rw,
+
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+
+    /{usr/,}bin/vim mrix,
+
+    /etc/vim/{,**} r,
+    /etc/vimrc r,
+    /usr/share/terminfo/x/xterm-256color r,
+    /usr/share/vim/{,**} r,
+    /tmp/ r,
+
+    owner @{HOME}/.fzf/plugin/ r,
+    owner @{HOME}/.fzf/plugin/fzf.vim r,
+    owner @{HOME}/.viminfo{,.tmp} rw,
+    owner @{user_cache_dirs}/vim/{,**} rw,
+    owner @{user_config_dirs}/vim/{,**} rw,
+    /dev/shm/pass.*/{,*} rw,
+
+    deny owner @{HOME}/ r,
+  }
+
+  include if exists <usr/pass.d>
+  include if exists <local/pass>
+}
diff --git a/apparmor.d/profiles-m-r/pass-extension-python b/apparmor.d/profiles-m-r/pass-extension-python
new file mode 100644
index 00000000..6d375a77
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pass-extension-python
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Confine python based password-store extension. Note: This profile does not
+# specify an attachment path because it is intended to be used only via 
+# "Px -> pass-extension-python" exec transitions from the pass profile.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pass-extension-python {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/openssl>
+
+  /{usr/,}bin/               r,
+  /{usr/,}bin/pass           rPx,
+  /{usr/,}bin/python3.[0-9]* rix,
+
+  /usr/share/file/misc/magic.mgc r,
+
+  owner /tmp/* rw,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  include if exists <local/pass-extension-python>
+}
\ No newline at end of file
diff --git a/profiles.flags b/profiles.flags
index f666cd8e..c051396f 100644
--- a/profiles.flags
+++ b/profiles.flags
@@ -115,6 +115,8 @@ pacman-hook-mkinitcpio-remove complain
 pacman-hook-perl complain
 pacman-hook-systemd complain
 pacman-key complain
+pass complain
+pass-extension-python complain
 pinentry-gtk-2 complain
 pipewire complain
 pipewire-media-session complain