From 74ad177d07c1880449a22d1970fb60528357b79b Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Fri, 11 Oct 2024 18:15:39 +0200
Subject: [PATCH 1/7] Add profile for mbsync tool

Source package isync

Signed-off-by: Eduardo Barretto <eduardo.barretto@canonical.com>
---
 profiles/apparmor.d/mbsync | 45 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 profiles/apparmor.d/mbsync

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
new file mode 100644
index 000000000..697e0f6cb
--- /dev/null
+++ b/profiles/apparmor.d/mbsync
@@ -0,0 +1,45 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Eduardo Barretto <eduardo.barretto@canonical.com>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile mbsync /usr/bin/mbsync {
+  include <abstractions/base>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/ssl/openssl.cnf r,
+  @{run}/systemd/resolve/stub-resolv.conf r,
+  /usr/bin/mbsync r,
+  owner @{HOME}/.mbsyncrc r,
+  owner @{HOME}/Mail/**/ r,
+  owner @{HOME}/Mail/**/.mbsyncstate rw,
+  owner @{HOME}/Mail/**/.mbsyncstate.journal rw,
+  owner @{HOME}/Mail/**/.mbsyncstate.lock wk,
+  owner @{HOME}/Mail/**/.mbsyncstate.new rw,
+  owner @{HOME}/Mail/**/.uidvalidity rwk,
+  owner @{HOME}/Mail/**/cur/* rw,
+  owner @{HOME}/Mail/**/new/* rw,
+  owner @{HOME}/Mail/**/tmp/* rw,
+
+  include if exists <local/mbsync>
+}

From 5f0fcfcae98f97ee9c6e8cfa2c115c663a7badd5 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Thu, 7 Nov 2024 19:03:30 +0100
Subject: [PATCH 2/7] profiles: mbsync: make use of nameservice-strict
 abstraction

Signed-off-by: Eduardo Barretto <eduardo.barretto@canonical.com>
---
 profiles/apparmor.d/mbsync | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 697e0f6cb..7aa667e2e 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -15,6 +15,7 @@ include <tunables/global>
 
 profile mbsync /usr/bin/mbsync {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
   network inet dgram,
@@ -23,12 +24,7 @@ profile mbsync /usr/bin/mbsync {
   network inet6 stream,
   network netlink raw,
 
-  @{etc_ro}/gai.conf r,
-  @{etc_ro}/host.conf r,
-  @{etc_ro}/hosts r,
-  @{etc_ro}/nsswitch.conf r,
   @{etc_ro}/ssl/openssl.cnf r,
-  @{run}/systemd/resolve/stub-resolv.conf r,
   /usr/bin/mbsync r,
   owner @{HOME}/.mbsyncrc r,
   owner @{HOME}/Mail/**/ r,

From 00a1152700ee4f22ebc80065d400c6a09439185b Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Fri, 24 Jan 2025 09:41:43 +0100
Subject: [PATCH 3/7] mbsync: Add missing write permission to create any
 folders existent

---
 profiles/apparmor.d/mbsync | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 7aa667e2e..7935ca5a7 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -27,7 +27,7 @@ profile mbsync /usr/bin/mbsync {
   @{etc_ro}/ssl/openssl.cnf r,
   /usr/bin/mbsync r,
   owner @{HOME}/.mbsyncrc r,
-  owner @{HOME}/Mail/**/ r,
+  owner @{HOME}/Mail/**/ rw,
   owner @{HOME}/Mail/**/.mbsyncstate rw,
   owner @{HOME}/Mail/**/.mbsyncstate.journal rw,
   owner @{HOME}/Mail/**/.mbsyncstate.lock wk,

From 76338c29f299ad03c69817970f6baf7d73e220c7 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Fri, 24 Jan 2025 09:43:43 +0100
Subject: [PATCH 4/7] mbsync: Add read to gss

This was needed when testing the profile in Oracular
---
 profiles/apparmor.d/mbsync | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 7935ca5a7..9ca2ec507 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -24,6 +24,7 @@ profile mbsync /usr/bin/mbsync {
   network inet6 stream,
   network netlink raw,
 
+  @{etc_ro}/gss/mech.d/ r,
   @{etc_ro}/ssl/openssl.cnf r,
   /usr/bin/mbsync r,
   owner @{HOME}/.mbsyncrc r,

From bb422c1f01c7fbadb8f1dd65a423afe8a3f97f63 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Wed, 11 Jun 2025 11:28:08 +0200
Subject: [PATCH 5/7] profile: mbsync: Move vim tag

---
 profiles/apparmor.d/mbsync | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 9ca2ec507..2e80d21c3 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -1,3 +1,4 @@
+# vim: ft=apparmor
 #------------------------------------------------------------------
 #    Copyright (C) 2024 Canonical Ltd.
 #
@@ -7,7 +8,6 @@
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #------------------------------------------------------------------
-# vim: ft=apparmor
 
 abi <abi/4.0>,
 

From a7003f4d49f9bc191fc39bf632f0d27cbc1e16da Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Wed, 11 Jun 2025 11:29:46 +0200
Subject: [PATCH 6/7] profiles: mbsync: Use openssl abstraction instead

---
 profiles/apparmor.d/mbsync | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 2e80d21c3..5784b0e0d 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -16,6 +16,7 @@ include <tunables/global>
 profile mbsync /usr/bin/mbsync {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
   network inet dgram,
@@ -25,7 +26,6 @@ profile mbsync /usr/bin/mbsync {
   network netlink raw,
 
   @{etc_ro}/gss/mech.d/ r,
-  @{etc_ro}/ssl/openssl.cnf r,
   /usr/bin/mbsync r,
   owner @{HOME}/.mbsyncrc r,
   owner @{HOME}/Mail/**/ rw,

From 3d25f1c80f2051efe0ef6e33610be820583409ad Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Wed, 11 Jun 2025 11:30:16 +0200
Subject: [PATCH 7/7] profiles: mbsync: Allow mmap as it is needed for other
 architectures

---
 profiles/apparmor.d/mbsync | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/mbsync b/profiles/apparmor.d/mbsync
index 5784b0e0d..f03759ad6 100644
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@@ -26,7 +26,7 @@ profile mbsync /usr/bin/mbsync {
   network netlink raw,
 
   @{etc_ro}/gss/mech.d/ r,
-  /usr/bin/mbsync r,
+  /usr/bin/mbsync mr,
   owner @{HOME}/.mbsyncrc r,
   owner @{HOME}/Mail/**/ rw,
   owner @{HOME}/Mail/**/.mbsyncstate rw,