From 67d10bc63b9b6f4b3fe2ec2bd51aaccd9b8c9d6a Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Sun, 2 Jul 2023 00:07:59 +0200
Subject: [PATCH] Import AppArmor profile

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 distrib/apparmor/ergo | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 distrib/apparmor/ergo

diff --git a/distrib/apparmor/ergo b/distrib/apparmor/ergo
new file mode 100644
index 00000000..3a5f13d4
--- /dev/null
+++ b/distrib/apparmor/ergo
@@ -0,0 +1,34 @@
+include <tunables/global>
+
+# Georg Pfuetzenreuter <georg+ergo@lysergic.dev>
+# AppArmor confinement for ergo and ergo-ldap
+
+profile ergo /usr/bin/ergo {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+
+  /etc/ergo/ircd.{motd,yaml} r,
+  /etc/ssl/irc/{crt,key} r,
+  /etc/ssl/ergo/{crt,key} r,
+  /usr/bin/ergo mr,
+  /proc/sys/net/core/somaxconn r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /usr/share/ergo/languages/{,*.lang.json,*.yaml} r,
+  owner /run/ergo/ircd.lock rwk,
+  owner /var/lib/ergo/ircd.db rw,
+
+  include if exists <local/ergo>
+
+}
+
+profile ergo-ldap /usr/bin/ergo-ldap {
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  
+  /usr/bin/ergo-ldap rm,
+  /etc/ergo/ldap.yaml r,
+
+  include if exists <local/ergo-ldap>
+
+}