Merge Add profile for mbsync tool

Source package isync Let me know if you think we should better handle any mail or different mbsyncrc location that the user might have. As well if I should simplify the network access to `include <abstractions/nameservice>` or if that's too much. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1372 Approved-by: Ryan Lee <rlee287@yahoo.com> Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-06-23 13:25:41 +00:00 · 2025-06-23 13:25:41 +00:00 · 61a3a4862e
commit 61a3a4862e
parent 2c685c0a17 3d25f1c80f
1 changed files with 42 additions and 0 deletions
--- a/profiles/apparmor.d/mbsync
+++ b/profiles/apparmor.d/mbsync
@ -0,0 +1,42 @@
+# vim: ft=apparmor
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Eduardo Barretto <eduardo.barretto@canonical.com>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile mbsync /usr/bin/mbsync {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{etc_ro}/gss/mech.d/ r,
+  /usr/bin/mbsync mr,
+  owner @{HOME}/.mbsyncrc r,
+  owner @{HOME}/Mail/**/ rw,
+  owner @{HOME}/Mail/**/.mbsyncstate rw,
+  owner @{HOME}/Mail/**/.mbsyncstate.journal rw,
+  owner @{HOME}/Mail/**/.mbsyncstate.lock wk,
+  owner @{HOME}/Mail/**/.mbsyncstate.new rw,
+  owner @{HOME}/Mail/**/.uidvalidity rwk,
+  owner @{HOME}/Mail/**/cur/* rw,
+  owner @{HOME}/Mail/**/new/* rw,
+  owner @{HOME}/Mail/**/tmp/* rw,
+
+  include if exists <local/mbsync>
+}