Add curl profile

profiles/apparmor.d/curl

@@ -0,0 +1,44 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile curl /usr/bin/curl {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/private-files-strict>
+  include <abstractions/ssl_certs>
+
+  @{exec_path} mr,
+
+  # allow reading configuration files from $HOME
+  priority=1 file r @{HOME}/.curlrc,
+  priority=1 file r @{HOME}/.config/curlrc,
+
+  # allow reading other configuration files/certs from $HOME
+  # (see --config, --cacert options)
+  file r @{HOME}/**,
+
+  # allow writing output to $HOME, /tmp (see -o option)
+  file w @{HOME}/**,
+  file w /tmp/**,
+
+  # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
+  network unix stream,
+  network unix dgram,
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/curl>
+}

tests/profiles/curl/task.yaml

@@ -0,0 +1,14 @@
+summary: smoke test for the curl profile
+execute: |
+    # set up fake HTTP server
+    echo -ne "HTTP/1.0 200 OK\nContent-type: text/html; charset=utf-8\nContent-Length: 12\n\nhello, world" > res
+    nc -lvp 8080 < res &
+
+    # HTTP GET to server, save result
+    curl http://localhost:8080/ -o /tmp/res
+
+    # assert result is correct
+    test "$(cat /tmp/res)" = "hello, world"
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of curl | MATCH 'curl \(enforce\)'