From 9a65da3605094a1842cdde488037f81e8bf3302d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 24 Jan 2024 21:03:49 +0000
Subject: [PATCH] feat(profile): apply profile guideline on secure-time-sync.

---
 apparmor.d/profiles-s-z/secure-time-sync | 18 +++++++++++-------
 dists/flags/main.flags                   |  1 +
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync
index f317b947..7545f53e 100644
--- a/apparmor.d/profiles-s-z/secure-time-sync
+++ b/apparmor.d/profiles-s-z/secure-time-sync
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,13 +18,16 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/curl        rix,
+  @{bin}/date        rix,
+  @{bin}/grep        rix,
+  @{bin}/id          rPx,
+  @{bin}/sed         rix,
+
   owner /dev/tty rw,
 
-  /usr/bin/bash ix,
-  /usr/bin/curl mrix,
-  /usr/bin/date mrix,
-  /usr/bin/grep mrix,
-  /usr/bin/id mrix,
-  /usr/bin/sed mrix,
-  @{exec_path} r,
+  include if exists <local/secure-time-sync>
 }
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 0d813e17..8784b1cd 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -291,6 +291,7 @@ runuser complain
 s3fs complain
 sdcv complain
 sddm attach_disconnected,mediate_deleted,complain
+secure-time-sync attach_disconnected,complain
 sftp-server complain
 sing-box complain
 slirp4netns attach_disconnected,complain