# AppArmor profile for mbsync/isync IMAP mailbox synchronizer
# Version of program profiled: 1.4.4
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile mbsync /usr/bin/mbsync {
  include if exists <local/mbsync>
  include <abstractions/base>

  # Networking
  include <abstractions/ssl_certs>
  include <abstractions/krathalans-networking>
  network netlink raw,
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,

  # Config
  owner @{HOME}/.mbsyncrc r,

  # Mail storage
  owner @{HOME}/.local/share/mail/{,**} rw,
  owner @{HOME}/.local/share/mail/{,**}/{.mbsyncstate.lock,.uidvalidity} k,

  # GPG
  /usr/bin/dash rix,
  /usr/bin/gpg rCx,

  profile gpg /usr/bin/gpg {
    include if exists <local/mbsync-gpg>
    include <abstractions/base>
    include <abstractions/gnupg>
    network inet stream,

    /usr/bin/gpg r,

    owner @{HOME}/.gnupg/gpg.conf r,
    owner @{HOME}/.gnupg/pubring.kbx.{lock,tmp} rwl,
    owner @{HOME}/.gnupg/*lk* rwl,
    owner @{HOME}/.gnupg/random_seed k,

    # Deny unnecessary permissions
    deny network inet6 stream,
  }
}
