# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# This profile is large on purpose:
# - Pkgctl uses a lot of different binaries and scripts inside sandbox.
# - Using the unconfined flag would Pix everything, we do not want that as the
#   transitioned profile would have to account for pkgctl paths too.
# - It could be restricted latter using a namsepace approach.

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/pkgctl
@{att} = /att/pkgctl/
profile pkgctl /{,usr/}bin/pkgctl flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted) {
  include <abstractions/attached/base>

  all,

  include if exists <local/pkgctl>
}

# vim:syntax=apparmor
