# vim: ft=apparmor

abi <abi/3.0>,

include <tunables/global>
@{OBS_SIGND_DATA_DIR}=/srv/obs-signd
@{GNUPG_HOME}=@{OBS_SIGND_DATA_DIR}/{default,privileged,restricted,system}/gnupg
@{PHRASES_DIR}=@{OBS_SIGND_DATA_DIR}/{restricted,default}/phrases
@{ALIASES_DIR}=@{OBS_SIGND_DATA_DIR}/{restricted,default}/aliases
@{ENCKEYS_DIR}=@{OBS_SIGND_DATA_DIR}/default/enckeys
@{SIGND_TMPDIR}=/run/signd
@{KEYCACHE_DIR}=@{OBS_SIGND_DATA_DIR}/keycache

profile obs-sign /usr/bin/sign {
  include <abstractions/obs-sign>

  /usr/bin/sign rm,

  /root/signme/** rwlk,
  /var/lib/obs-signd/** rwlk,
  /srv/obs/** rwlk,

  include if exists <local/obs-sign>
}
#
# Use with
#
# ```
# [Service]
# AppArmorProfile=obs-signd
# ```
# 
# in an unit drop in file

profile obs-signd /usr/sbin/signd {
  include <abstractions/obs-signd>

  # TODO: find out if we need this
  @{GNUPG_HOME}/** rwlk,

  /usr/bin/gpg2 px -> obs-sign-gpg,
  /usr/bin/gpgconf px -> obs-sign-gpgconf,
  /usr/bin/gpg-connect-agent px -> obs-sign-gpg-connect-agent,

  /{usr/,}bin/tar px -> obs-sign-tar,

  @{OBS_SIGND_DATA_DIR}/privileged_actions.log rwk,

  include if exists <local/obs-signd>
}
#
# Use with
#
# ```
# [Service]
# AppArmorProfile=obs-sign-proxy
# ```
# 
# in an unit drop in file
profile obs-sign-proxy {
  include <abstractions/obs-signd>

  audit deny /usr/bin/gpg2 x,
  audit deny /usr/bin/gpgconf x,

  include if exists <local/obs-sign-proxy>
}

profile obs-sign-gpg {
  include <abstractions/obs-gpg>

  /usr/bin/gpg2 rm,
  /usr/bin/gpg-agent px -> obs-sign-gpg-agent,
  /usr/bin/dirmngr px -> obs-sign-dirmngr,

  # inherited from signd
  @{PHRASES_DIR}/* r,

  include if exists <local/obs-sign-gpg>
}
profile obs-sign-gpg-agent {
  include <abstractions/obs-gpg>

  /usr/bin/gpg-agent rm,

  capability fowner,

  /usr/bin/scdaemon px -> obs-sign-scdaemon,

  include if exists <local/obs-sign-gpg-agent>
}

profile obs-sign-gpgconf {
  include <abstractions/gnupg-base>

  /usr/bin/gpgconf rm,

  include if exists <local/obs-sign-gpgconf>
}
profile obs-sign-gpg-connect-agent {
  include <abstractions/gnupg-base>

  /usr/bin/gpg-connect-agent rm,

  include if exists <local/obs-sign-gpgconf>
}
profile obs-sign-scdaemon {
  include <abstractions/gnupg-base>

  /usr/bin/scdaemon rm,

  owner @{SIGND_TMPDIR}/*/gnupg/S.scdaemon rw,
  owner @{GNUPG_HOME}/S.scdaemon rw,

  include if exists <local/obs-sign-scdaemon>
}
profile obs-sign-dirmngr {
  include <abstractions/gnupg-base>
  include <abstractions/ssl_certs>

  deny network,

  /usr/bin/dirmngr rm,

  include if exists <local/obs-sign-dirmngr>
}

profile obs-sign-tar {
  include <abstractions/base>

  /usr/bin/tar rm,

  /etc/passwd r,
  /etc/group r,
  /etc/sign.conf r,
  /{usr/,}etc/nsswitch.conf r,

  / r,

  owner @{OBS_SIGND_DATA_DIR}/ r,
  owner @{OBS_SIGND_DATA_DIR}/** r,

  owner @{SIGND_TMPDIR}/*/backup.tar w,

  include if exists <local/obs-sign-tar>
}
