From 59e7fdd96a6e6bebe151bfd02645d66942701018 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 14 Aug 2025 10:34:37 -0700
Subject: [PATCH] profiles: curl: switch to user-tmp abstraction

The curl profile allows reading and writing to /tmp/ so instead of
two rules that don't cover all tmp locations, switch to the user-tmp
abstraction to allow access to the various possible tmp locations.

Note: The does reduce the write permission to owner write, instead
of the wider file w /tmp/**,

In addition move the @{HOME} permissions to be restricted files owned
by the user.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor.d/curl | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/profiles/apparmor.d/curl b/profiles/apparmor.d/curl
index cbee547fe..3704b418f 100644
--- a/profiles/apparmor.d/curl
+++ b/profiles/apparmor.d/curl
@@ -17,22 +17,19 @@ profile curl /usr/bin/curl {
   include <abstractions/private-files-strict>
   include <abstractions/ssl_certs>
 
+  #can read/write data and configs from tmp
+  include <abstractions/user-tmp>
+
   @{exec_path} mr,
 
   # allow reading configuration files from $HOME
-  priority=1 file r @{HOME}/.curlrc,
-  priority=1 file r @{HOME}/.config/curlrc,
+  priority=1 owner file r @{HOME}/.curlrc,
+  priority=1 owner file r @{HOME}/.config/curlrc,
 
   # allow reading other configuration files/certs from $HOME
   # (see --config, --cacert options)
-  file r @{HOME}/**,
-
-  # allow reading data/config from tmp
-  owner file r /tmp/**,
-
   # allow writing output to $HOME, /tmp (see -o option)
-  file w @{HOME}/**,
-  file w /tmp/**,
+  owner file rw @{HOME}/**,
 
   # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
   network unix stream,