File redmine.apparmor of Package redmine

# This AppArmor profile is part of the redmine package
# Georg Pfuetzenreuter <mail+apparmor@georg-pfuetzenreuter.net>

abi <abi/3.0>,

include <tunables/global>

@{RM_BASE}=__BASE__
@{RM_RUBY_SUFFIX}=__RUBY_SUFFIX__
@{RM_RUBY_VERSION}=__RUBY_VERSION__

profile redmine flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/openssl>
  include <abstractions/redmine>

  /dev/tty rw,

  owner /proc/@{pid}/task/*/comm rw,

  /usr/bin/bash Cx -> &redmine//bash,
  /usr/bin/gs.bin Cx -> &redmine//ghostscript,
  /usr/bin/magick Cx -> &redmine//magick,
  /usr/lib/git/git Cx -> &redmine//git,

  /bin/sh Cx -> bash,
  /usr/bin/convert Cx -> magick,
  /usr/bin/git Cx -> git,
  /usr/bin/gs Cx -> ghostscript,

  /usr/bin/puma.@{RM_RUBY_SUFFIX}-[0-9].[0-9].[0-9] r,
  /usr/bin/ruby.@{RM_RUBY_SUFFIX} ix,
  /run/redmine/puma.pid rw,

  /etc/redmine/puma.rb r,
  @{RM_BASE}/app/views/*/*.{api.rsb,builder} r,
  @{RM_BASE}/config.ru r,
  @{RM_BASE}/db/migrate/ r,
  @{RM_BASE}/public/assets/**.{css,js{,.map},gif,ico,png,svg,ttf,woff,woff2} r,
  @{RM_BASE}/public/favicon.ico r,
  @{RM_BASE}/public/help/*.css r,
  @{RM_BASE}/public/help/{*/,}*.html r,
  @{RM_BASE}/public/{404,500}.html r,

  owner @{RM_BASE}/tmp/cache/**.stable r,
  owner @{RM_BASE}/tmp/cache/*/*/.permissions_check.* rw,
  owner @{RM_BASE}/tmp/cache/*/*/i18n%[0-9][A-Z]languages_options%[0-9][A-Z][0-9].[0-9].[0-9].stable rw,
  owner @{RM_BASE}/tmp/cache/*/*/{formatted_text,views}* rw,
  owner @{RM_BASE}/tmp/cache/*/{,*/} rw,
  owner @{RM_BASE}/tmp/cache/.formatted_text* rw,
  owner @{RM_BASE}/tmp/cache/.i18n[0-9][A-Z]languages_options[0-9][A-Z][0-9].[0-9].[0-9].stable20[2-3][0-9][0-9][0-9][0-9][0-9]-*-* rw,
  owner @{RM_BASE}/tmp/cache/.views* rw,
  owner @{RM_BASE}/tmp/{cache,pids}/ rw,
  owner @{RM_BASE}/tmp/thumbnails/ r,
  owner @{RM_BASE}/tmp/thumbnails/*.thumb rw,

  owner /tmp/0.* rw,
  owner /tmp/RackMultipart* rw,
  owner /tmp/mini_magick*-*-*.png rw,
  owner /tmp/puma2[0-9][0-9][0-9][0-9][0-9][0-9][0-9]-*-* rw,

  owner /var/lib/redmine/files/** rw,

  # repository browser, aligns with the git subprofile
  /srv/git/*.git/** r,

  # ImageMagick, aligns with the magick subprofile
  /etc/ImageMagick-7-SUSE/*.xml r,


  # plugin additions
  include <redmine.d>
  # administrator additions
  include if exists <local/redmine>


  profile bash flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>
    include <abstractions/nameservice>

    /usr/bin/bash mr,
    /usr/bin/gs.bin Px -> redmine//ghostscript,
    /usr/bin/magick Px -> redmine//magick,
    /usr/lib/git/git Px -> redmine//git,

    /var/log/redmine/production.scm.stderr.log rw,

  }


  profile git flags=(attach_disconnected) {
    include <abstractions/base>

    /usr/lib/git/git mr,

    deny network,

    # repository browser
    /srv/git/*.git/** r,

  }


  profile ghostscript flags=(attach_disconnected) {
    include <abstractions/base>

    /usr/bin/gs.bin mr,

    network inet stream,
    network inet6 stream,
    unix (receive, send),

    /proc/sys/crypto/fips_enabled r,

    /usr/share/crypto-policies/DEFAULT/gnutls.txt r,

  }


  profile magick flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/fonts>

    /usr/bin/magick mr,

    /etc/ImageMagick-7-SUSE/*.xml r,

    owner /tmp/magick-* rw,
    owner /tmp/mini_magick*-*-*.png rw,
    owner /var/lib/redmine/files/** rw,
    owner @{RM_BASE}/tmp/thumbnails/*.thumb rw,

    deny network inet stream,
    deny network inet6 stream,

  }

}


profile redmine-sidekiq flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/openssl>
  include <abstractions/redmine>
  # these ruby abstractions are unfortunately pretty useless on openSUSE, but better than nothing
  include <abstractions/ruby>

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  unix (receive, send) type="dgram" addr=auto,
  unix (receive, send) type="stream",

  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/services r,

  owner /proc/@{pid}/status r,
  owner /proc/@{pid}/task/*/comm rw,

  /usr/bin/sidekiq.@{RM_RUBY_SUFFIX}-[0-9].[0-9].[0-9] r,

  /usr/lib64/ruby/@{RM_RUBY_VERSION}/**.rb r,
  /usr/lib64/ruby/@{RM_RUBY_VERSION}/x86_64-linux-gnu/ r,
  /usr/lib64/ruby/@{RM_RUBY_VERSION}/x86_64-linux-gnu/**.so mr,
  /usr/lib64/ruby/gems/@{RM_RUBY_VERSION}/extensions/x86_64-linux/@{RM_RUBY_VERSION}/*/ r,
  /usr/lib64/ruby/gems/@{RM_RUBY_VERSION}/gems/*/{,**{/,.rb}} r,
  /usr/lib64/ruby/gems/@{RM_RUBY_VERSION}/gems/active*/lib/*/locale/*.yml r,
  /usr/lib64/ruby/gems/@{RM_RUBY_VERSION}/gems/sidekiq-[0-9].[0-9].[0-9]/bin/sidekiq r,

  /var/lib/ca-certificates/ca-bundle.pem r,

  @{RM_BASE}/lib/redmine/scm/adapters/*/ r,
  @{RM_BASE}/lib/redmine/views/builders/{,*.rb} r,

  # plugin additions
  include <redmine.d>

  owner /tmp/bundler*/ rw,

}