diff --git a/profiles/apparmor.d/curl b/profiles/apparmor.d/curl new file mode 100644 index 000000000..369369877 --- /dev/null +++ b/profiles/apparmor.d/curl @@ -0,0 +1,44 @@ +#------------------------------------------------------------------ +# Copyright (C) 2025 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +#------------------------------------------------------------------ +# vim: ft=apparmor + +abi , + +include + +profile curl /usr/bin/curl { + include + include + include + include + + @{exec_path} mr, + + # allow reading configuration files from $HOME + priority=1 file r @{HOME}/.curlrc, + priority=1 file r @{HOME}/.config/curlrc, + + # allow reading other configuration files/certs from $HOME + # (see --config, --cacert options) + file r @{HOME}/**, + + # allow writing output to $HOME, /tmp (see -o option) + file w @{HOME}/**, + file w /tmp/**, + + # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6 + network unix stream, + network unix dgram, + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/tests/profiles/curl/task.yaml b/tests/profiles/curl/task.yaml new file mode 100644 index 000000000..db9166a26 --- /dev/null +++ b/tests/profiles/curl/task.yaml @@ -0,0 +1,14 @@ +summary: smoke test for the curl profile +execute: | + # set up fake HTTP server + echo -ne "HTTP/1.0 200 OK\nContent-type: text/html; charset=utf-8\nContent-Length: 12\n\nhello, world" > res + nc -lvp 8080 < res & + + # HTTP GET to server, save result + curl http://localhost:8080/ -o /tmp/res + + # assert result is correct + test "$(cat /tmp/res)" = "hello, world" + + # The profile is attached based on the program path. + "$SPREAD_PATH"/tests/bin/actual-profile-of curl | MATCH 'curl \(enforce\)'