apparmor/profiles/apparmor.d/curl

#------------------------------------------------------------------
#    Copyright (C) 2025 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor

abi <abi/4.0>,

include <tunables/global>

profile curl /usr/bin/curl {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/private-files-strict>
  include <abstractions/ssl_certs>

  @{exec_path} mr,

  # allow reading configuration files from $HOME
  priority=1 file r @{HOME}/.curlrc,
  priority=1 file r @{HOME}/.config/curlrc,

  # allow reading other configuration files/certs from $HOME
  # (see --config, --cacert options)
  file r @{HOME}/**,

  # allow reading data/config from tmp
  owner file r /tmp/**,

  # allow writing output to $HOME, /tmp (see -o option)
  file w @{HOME}/**,
  file w /tmp/**,

  # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
  network unix stream,
  network unix dgram,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Allow access to the snap socket until we can revisit it with delegation
  # or profile refactoring
  file rw @{run}/snapd.socket,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/curl>
}
Add curl profile 2025-06-23 13:49:23 +00:00			`#------------------------------------------------------------------`
			`# Copyright (C) 2025 Canonical Ltd.`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#------------------------------------------------------------------`
			`# vim: ft=apparmor`

			`abi <abi/4.0>,`

			`include <tunables/global>`

			`profile curl /usr/bin/curl {`
			`include <abstractions/base>`
			`include <abstractions/nameservice>`
			`include <abstractions/private-files-strict>`
			`include <abstractions/ssl_certs>`

			`@{exec_path} mr,`

			`# allow reading configuration files from $HOME`
			`priority=1 file r @{HOME}/.curlrc,`
			`priority=1 file r @{HOME}/.config/curlrc,`

			`# allow reading other configuration files/certs from $HOME`
			`# (see --config, --cacert options)`
			`file r @{HOME}/**,`

profiles: Allow curl to read tmp, for scripts which might use config/etags/data... Signed-off-by: Simon Poirier <simon.poirier@canonical.com> 2025-08-13 21:36:50 -04:00			`# allow reading data/config from tmp`
			`owner file r /tmp/**,`

Add curl profile 2025-06-23 13:49:23 +00:00			`# allow writing output to $HOME, /tmp (see -o option)`
			`file w @{HOME}/**,`
			`file w /tmp/**,`

			`# allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6`
			`network unix stream,`
			`network unix dgram,`
			`network inet stream,`
			`network inet dgram,`
			`network inet6 stream,`
			`network inet6 dgram,`

profiles: add /run/snapd.socket rule for curl This ideally is a temporary fix because we do not want to allow all users of curl to be able to access the snapd socket. However, this will work for now until we can mediate the accesses better. Fixes: LP: #2120669 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> 2025-08-18 12:06:29 -07:00			`# Allow access to the snap socket until we can revisit it with delegation`
			`# or profile refactoring`
			`file rw @{run}/snapd.socket,`

Add curl profile 2025-06-23 13:49:23 +00:00			`# Site-specific additions and overrides. See local/README for details.`
			`include if exists <local/curl>`
			`}`