From d084023120722d802525e71b14591ae90cd25fbb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Jun 2021 15:21:28 +0100
Subject: [PATCH] Add update-ca-trust

---
 apparmor.d/profiles-m-z/update-ca-trust | 40 +++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 apparmor.d/profiles-m-z/update-ca-trust

diff --git a/apparmor.d/profiles-m-z/update-ca-trust b/apparmor.d/profiles-m-z/update-ca-trust
new file mode 100644
index 00000000..bffe6746
--- /dev/null
+++ b/apparmor.d/profiles-m-z/update-ca-trust
@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/update-ca-trust
+profile update-ca-trust @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/ssl_certs>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/bash   rix,
+  /{usr/,}bin/find   rix,
+  /{usr/,}bin/ln     rix,
+  /{usr/,}bin/trust  rix,
+
+  / r,
+  /usr/share/p11-kit/modules/{,*} r,
+
+  /etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w,
+  /etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w,
+  /etc/ca-certificates/extracted/cadir/{,*} rw,
+  /etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w,
+  /etc/ssl/certs/{,*} rw,
+  /etc/ssl/certs/java/cacerts{,.*} w,
+
+  /dev/tty rw,
+
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
+  include if exists <local/update-ca-trust>
+}
\ No newline at end of file