From e078fe276703bb43c2bd8639840a83333b547a13 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 7 Apr 2022 20:58:58 +0100
Subject: [PATCH] feat: add etckeeper profile.

---
 apparmor.d/profiles-a-f/etckeeper | 72 +++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/etckeeper

diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper
new file mode 100644
index 00000000..d578d0a1
--- /dev/null
+++ b/apparmor.d/profiles-a-f/etckeeper
@@ -0,0 +1,72 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/etckeeper
+profile etckeeper @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability dac_override,
+
+  @{exec_path} mrix,
+
+  /{usr/,}bin/{,ba,da}sh     rix,
+  /{usr/,}bin/{,e}grep       rix,
+  /{usr/,}bin/chmod          rix,
+  /{usr/,}bin/cut            rix,
+  /{usr/,}bin/find           rix,
+  /{usr/,}bin/getent         rix,
+  /{usr/,}bin/git*           rix,
+  /{usr/,}lib/git-core/git*  rix,
+  /{usr/,}bin/gpg            rCx -> gpg,
+  /{usr/,}bin/hostname       rix,
+  /{usr/,}bin/mktemp         rix,
+  /{usr/,}bin/perl           rix,
+  /{usr/,}bin/rm             rix,
+  /{usr/,}bin/sed            rix,
+  /{usr/,}bin/sort           rix,
+  /{usr/,}bin/tty            rix,
+  /{usr/,}bin/uniq           rix,
+  /{usr/,}bin/whoami         rix,
+
+  /etc/.git/hooks/*     rix,
+  /etc/etckeeper/*.d/*  rix,
+  /etc/etckeeper/daily  rix,
+
+  /etc/   rw,
+  /etc/** rwkl -> /etc/**,
+
+  owner @{HOME}/.gitconfig* r,
+  owner @{HOME}/.netrc r,
+  owner @{user_config_dirs}/git/{,*} rw,
+
+  @{run}/resolvconf/resolv.conf r,
+
+  owner /tmp/etckeeper-git* rw,
+
+  profile gpg {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    /{usr/,}bin/gpg        mr,
+    /{usr/,}bin/gpg-agent  rPx,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{user_config_dirs}/dotfiles/@{XDG_GPG_DIR}/** rwkl,  # to remove, to depracate
+  
+    # owner /tmp/.git_vtag_tmp* r,
+
+    # deny @{user_share_dirs}/gvfs-metadata/* r,
+  }
+
+  include if exists <local/etckeeper>
+}
\ No newline at end of file