# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}sbin/vi{pw,gr}
profile vipw-vigr @{exec_path} {
  include <abstractions/base>

  capability chown,

  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh      rix,

  /{usr/,}bin/sensible-editor rCx -> editor,
  /{usr/,}bin/vim.*           rCx -> editor,

  /etc/login.defs r,

  /etc/{passwd,shadow,gshadow,group}{,.edit} rw,
  /etc/{passwd,shadow,gshadow,group}.@{pid} rw,
  /etc/passwd.lock  wl -> /etc/passwd.@{pid},
  /etc/shadow.lock  wl -> /etc/shadow.@{pid},
  /etc/gshadow.lock wl -> /etc/gshadow.@{pid},
  /etc/group.lock   wl -> /etc/group.@{pid},
  /etc/passwd-      wl -> /etc/passwd,
  /etc/shadow-      wl -> /etc/shadow,
  /etc/gshadow-     wl -> /etc/gshadow,
  /etc/group-       wl -> /etc/group,

  # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
  # modify the /etc/passwd or /etc/shadow password database.
  /etc/.pwd.lock rwk,


  profile editor {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability fsetid,

    /{usr/,}bin/sensible-editor mr,
    /{usr/,}bin/vim.*           mrix,
    /{usr/,}bin/{,ba,da}sh       rix,
    /{usr/,}bin/which            rix,

    owner @{HOME}/.selected_editor r,

    /usr/share/vim/{,**} r,
    /etc/vim/{,**} r,
    owner @{HOME}/.viminfo{,.tmp} rw,

    owner @{HOME}/.fzf/plugin/ r,
    owner @{HOME}/.fzf/plugin/fzf.vim r,

    /etc/{passwd,shadow,gshadow,group}.edit rw,

  }

  include if exists <local/vipw-vigr>
}