From 89a9f7673368e7d19802fd12ec3717a5477200e0 Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Tue, 6 Feb 2024 15:10:20 -0300
Subject: [PATCH] add more unconfined profiles

These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 profiles/apparmor.d/devhelp   | 12 ++++++++++++
 profiles/apparmor.d/epiphany  | 12 ++++++++++++
 profiles/apparmor.d/evolution | 12 ++++++++++++
 profiles/apparmor.d/opam      | 12 ++++++++++++
 4 files changed, 48 insertions(+)
 create mode 100644 profiles/apparmor.d/devhelp
 create mode 100644 profiles/apparmor.d/epiphany
 create mode 100644 profiles/apparmor.d/evolution
 create mode 100644 profiles/apparmor.d/opam

diff --git a/profiles/apparmor.d/devhelp b/profiles/apparmor.d/devhelp
new file mode 100644
index 000000000..ed7891a13
--- /dev/null
+++ b/profiles/apparmor.d/devhelp
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile devhelp /usr/bin/devhelp flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/devhelp>
+}
diff --git a/profiles/apparmor.d/epiphany b/profiles/apparmor.d/epiphany
new file mode 100644
index 000000000..7a412d20f
--- /dev/null
+++ b/profiles/apparmor.d/epiphany
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/epiphany>
+}
diff --git a/profiles/apparmor.d/evolution b/profiles/apparmor.d/evolution
new file mode 100644
index 000000000..48b842bfb
--- /dev/null
+++ b/profiles/apparmor.d/evolution
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile evolution /usr/bin/evolution flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/evolution>
+}
diff --git a/profiles/apparmor.d/opam b/profiles/apparmor.d/opam
new file mode 100644
index 000000000..b0cd7a661
--- /dev/null
+++ b/profiles/apparmor.d/opam
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile opam /usr/bin/opam flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/opam>
+}
-- 
GitLab