From fa41bd05f73347e0f9c83e080e30d7b9edf07edc Mon Sep 17 00:00:00 2001
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Fri, 7 Feb 2025 15:58:05 -0300
Subject: [PATCH 1/2] Add gpg-agent profile

Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
---
 profiles/apparmor.d/gpg-agent | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 profiles/apparmor.d/gpg-agent

diff --git a/profiles/apparmor.d/gpg-agent b/profiles/apparmor.d/gpg-agent
new file mode 100644
index 000000000..f829282de
--- /dev/null
+++ b/profiles/apparmor.d/gpg-agent
@@ -0,0 +1,40 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    Author: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile gpg-agent /usr/bin/gpg-agent {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{etc_ro}/gnupg r,
+
+  /usr/share/gnupg/{,**} r,
+  /usr/share/doc/gnupg/{,**} r,
+
+  /usr/lib/gnupg/{,**} r,
+
+  /usr/bin/gpg-agent mr,
+  /usr/bin/pinentry{,-gnome3,-curses,-gtk-2,-tty} rPx,
+  /usr/bin/scdaemon rPx,
+
+  @{PROC}/*/fd/ r,
+
+  owner @{run}/user/@{uid}/gnupg/{,d.**/}S.gpg-agent{,.browser,.extra,.ssh} rw,
+  owner @{run}/user/@{uid}/gnupg/{,d.**/}S.{scdaemon,keyboxd,sshcontrol} rw,
+  owner @{HOME}/.gnupg/{,**} rw,
+  owner @{HOME}/.config/gnupg/{,**} rw,
+
+  include if exists <local/gpg-agent>
+}

From e5d98bb0efc3c724c6e48b4cefd133594ee66761 Mon Sep 17 00:00:00 2001
From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
Date: Thu, 13 Feb 2025 10:40:25 -0300
Subject: [PATCH 2/2] gpg-agent: improvement, add paths and pacman/zypper
 support

Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
---
 profiles/apparmor.d/gpg-agent | 37 +++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/profiles/apparmor.d/gpg-agent b/profiles/apparmor.d/gpg-agent
index f829282de..a6113ba27 100644
--- a/profiles/apparmor.d/gpg-agent
+++ b/profiles/apparmor.d/gpg-agent
@@ -7,34 +7,47 @@
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #------------------------------------------------------------------
-# vim: ft=apparmor
 
 abi <abi/4.0>,
 
 include <tunables/global>
 
+@{GNUPG_DEFAULT}="@{HOME}/{.,.config/}gnupg"
+@{GNUPG_PACMAN}="{/etc/pacman.d/,/var/lib/*/{.,}}gnupg"
+@{GNUPG_ZYPPER}="/var/tmp/zypp.*"
+@{GNUPG_CONFIGS}="{@{GNUPG_DEFAULT},@{GNUPG_PACMAN},@{GNUPG_ZYPPER}}"
+
 profile gpg-agent /usr/bin/gpg-agent {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
 
-  @{etc_ro}/gnupg r,
-
-  /usr/share/gnupg/{,**} r,
-  /usr/share/doc/gnupg/{,**} r,
+  capability dac_read_search,
 
+  @{etc_ro}/gnupg/*.conf r,
+  /usr/share/{,doc/}gnupg/{,**} r,
   /usr/lib/gnupg/{,**} r,
 
   /usr/bin/gpg-agent mr,
-  /usr/bin/pinentry{,-gnome3,-curses,-gtk-2,-tty} rPx,
-  /usr/bin/scdaemon rPx,
+  /usr/bin/pinentry-* rPix,
+  /usr/bin/scdaemon rPix,
+  /usr/lib/{,gnupg/}scdaemon rPix,
 
-  @{PROC}/*/fd/ r,
+  @{PROC}/@{pid}/fd/ r,
 
+  owner @{run}/user/@{uid}/gnupg/{*.conf,sshcontrol} r,
+  owner @{run}/user/@{uid}/gnupg/{,d.**/} rw,
   owner @{run}/user/@{uid}/gnupg/{,d.**/}S.gpg-agent{,.browser,.extra,.ssh} rw,
-  owner @{run}/user/@{uid}/gnupg/{,d.**/}S.{scdaemon,keyboxd,sshcontrol} rw,
-  owner @{HOME}/.gnupg/{,**} rw,
-  owner @{HOME}/.config/gnupg/{,**} rw,
+  owner @{run}/user/@{uid}/gnupg/{,d.**/}S.{dirmngr,keyboxd} rw,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/{,**.key{,.tmp}} rw,
+
+  owner @{GNUPG_CONFIGS}/{,**} rw,
+  owner @{GNUPG_CONFIGS}/{*.conf,sshcontrol} r,
+  owner @{GNUPG_CONFIGS}/{,private-keys-v1.d/{,**.key{,.tmp}}} rw,
+  owner @{GNUPG_CONFIGS}/{,d.**/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+
+  owner /dev/tty[0-9]* rw,
 
   include if exists <local/gpg-agent>
 }
+
+# vim: ft=apparmor