# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/crontab
profile crontab @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability setgid,
  capability setuid,

  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh      rix,

  # When editing the crontab file
  /{usr/,}bin/sensible-editor rCx -> editor,
  /{usr/,}bin/vim.*           rCx -> editor,

        /var/spool/cron/ r,
        /var/spool/cron/crontabs/ rw,
  owner /var/spool/cron/crontabs/* rw,

  owner /tmp/crontab.*/{,crontab} rw,


  profile editor {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability fsetid,

    /{usr/,}bin/sensible-editor mr,
    /{usr/,}bin/vim.*           mrix,
    /{usr/,}bin/{,ba,da}sh       rix,
    /{usr/,}bin/which            rix,

    owner @{HOME}/.selected_editor r,

    /usr/share/vim/{,**} r,
    /etc/vim/{,**} r,
    owner @{HOME}/.viminfo{,.tmp} rw,

    owner @{HOME}/.fzf/plugin/ r,
    owner @{HOME}/.fzf/plugin/fzf.vim r,

          /tmp/ r,
    owner /tmp/crontab.*/crontab rw,

  }

  include if exists <local/crontab>
}