From e9a5edb33235837479c01b3fb949a6de5574bfb7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:36:00 +0100
Subject: [PATCH] feat(profile): add firewall-applet.

---
 apparmor.d/profiles-a-f/firewall-applet | 28 ++++++++++++++++++++++++
 apparmor.d/profiles-a-f/firewall-config | 29 +++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/firewall-applet
 create mode 100644 apparmor.d/profiles-a-f/firewall-config

diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/profiles-a-f/firewall-applet
new file mode 100644
index 00000000..b3571e62
--- /dev/null
+++ b/apparmor.d/profiles-a-f/firewall-applet
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/firewall-applet
+profile firewall-applet @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{bin}/ r,
+  @{bin}/python3.@{int} r,
+
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/firewall-applet>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/profiles-a-f/firewall-config
new file mode 100644
index 00000000..a752954e
--- /dev/null
+++ b/apparmor.d/profiles-a-f/firewall-config
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/firewall-config
+profile firewall-config @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{open_path}  rPx -> child-open-help,
+
+  /usr/share/firewalld/__pycache__/ rw,
+
+  /usr/share/firewalld/{,**} r,
+
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/firewall-config>
+}
+
+# vim:syntax=apparmor