From ddd0388d7d5228b0d36fb05a808a8bc9699db63a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:18:31 +0100
Subject: [PATCH] feat(profile): add mkcert.

---
 apparmor.d/profiles-m-r/mkcert | 43 ++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/mkcert

diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert
new file mode 100644
index 00000000..0941ad34
--- /dev/null
+++ b/apparmor.d/profiles-m-r/mkcert
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/mkcert
+profile mkcert @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/certutil         rix,
+  @{bin}/rm               rix,
+  @{bin}/sudo             rix,
+  @{bin}/tee              rix,
+  @{bin}/trust            rix,
+  @{bin}/update-ca-trust  rPx,
+
+  owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db{,-journal} rwk,
+
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  owner @{user_share_dirs}/mkcert/{,**} rw,
+
+  owner @{PROC}/@{pids}//cgroup r,
+
+  include if exists <local/mkcert>
+}
+
+# vim:syntax=apparmor