From aec3f3b22c81978228b06baae5e87d27a3f06bda Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Fri, 15 Mar 2024 17:40:58 -0300
Subject: [PATCH] add unconfined profiles for geary, loupe and firefox dev
 versions

These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Bug: https://bugs.launchpad.net/bugs/2046844

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 profiles/apparmor.d/firefox |  2 +-
 profiles/apparmor.d/geary   | 12 ++++++++++++
 profiles/apparmor.d/loupe   | 12 ++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 profiles/apparmor.d/geary
 create mode 100644 profiles/apparmor.d/loupe

diff --git a/profiles/apparmor.d/firefox b/profiles/apparmor.d/firefox
index 670fa2118..c4b6337fe 100644
--- a/profiles/apparmor.d/firefox
+++ b/profiles/apparmor.d/firefox
@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile firefox /usr/lib/firefox{,-esr}/firefox{,-esr} flags=(unconfined) {
+profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/geary b/profiles/apparmor.d/geary
new file mode 100644
index 000000000..6e65176ce
--- /dev/null
+++ b/profiles/apparmor.d/geary
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile geary /usr/bin/geary flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/geary>
+}
diff --git a/profiles/apparmor.d/loupe b/profiles/apparmor.d/loupe
new file mode 100644
index 000000000..f1beaac75
--- /dev/null
+++ b/profiles/apparmor.d/loupe
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile loupe /usr/bin/loupe flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/loupe>
+}