Merge profiles: curl: switch to user-tmp abstraction

The curl profile allows reading and writing to /tmp/ so instead of two rules that don't cover all tmp locations, switch to the user-tmp abstraction to allow access to the various possible tmp locations. Note: The does reduce the write permission to owner write, instead of the wider file w /tmp/**, Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1773 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: John Johansen <john@jjmx.net>
2025-08-30 13:58:22 +00:00 · 2025-08-30 01:12:37 +00:00 · 2025-08-30 01:12:37 +00:00 · 7757c7130c
commit 7757c7130c
parent e58f65d0c1 59e7fdd96a
1 changed files with 6 additions and 9 deletions
--- a/profiles/apparmor.d/curl
+++ b/profiles/apparmor.d/curl
@ -17,22 +17,19 @@ profile curl /usr/bin/curl {
  include <abstractions/private-files-strict>
  include <abstractions/ssl_certs>

+  #can read/write data and configs from tmp
+  include <abstractions/user-tmp>
+
  @{exec_path} mr,

  # allow reading configuration files from $HOME
-  priority=1 file r @{HOME}/.curlrc,
-  priority=1 file r @{HOME}/.config/curlrc,
+  priority=1 owner file r @{HOME}/.curlrc,
+  priority=1 owner file r @{HOME}/.config/curlrc,

  # allow reading other configuration files/certs from $HOME
  # (see --config, --cacert options)
-  file r @{HOME}/**,
-
-  # allow reading data/config from tmp
-  owner file r /tmp/**,
-
  # allow writing output to $HOME, /tmp (see -o option)
-  file w @{HOME}/**,
-  file w /tmp/**,
+  owner file rw @{HOME}/**,

  # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
  network unix stream,