# AppArmor profile for radicale CalDAV/CardDAV server
# Version of program profiled: 3.2.1
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2020-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile radicale /usr/bin/radicale {
  include if exists <local/radicale>
  include <abstractions/base>
  include <abstractions/krathalans-nameservice>
  include <abstractions/python>

  /usr/bin/ r,
  /usr/bin/python3.[0-9] r,
  /usr/bin/radicale r,

  # Config
  /etc/radicale/{,*} r,

  # Networking
  include <abstractions/openssl>
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,

  # Storage
  /var/lib/radicale/{,**} rwk,

  # Misc
  /etc/gai.conf r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/httpd/{,**} r,
  /etc/mime.types r,

  # Deny unnecessary permissions
  deny /run/systemd/resolve/resolv.conf r,
  deny @{PROC}/sys/kernel/osrelease r,
  deny @{PROC}/cmdline r,
}
