# vim: ft=apparmor
#------------------------------------------------------------------
#    Copyright (C) 2024 Canonical Ltd.
#
#    Author: Giampaolo Fresi Roglia (gianz)
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>

@{tnftp_rx}=/bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ /usr/games/ /usr/local/games/ /snap/bin/ @{HOME}/bin/ @{HOME}/.local/bin/

profile tnftp /usr/bin/tnftp {
  include <abstractions/authentication>
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>
  include <abstractions/terminfo>
  include <abstractions/user-tmp>
  include <abstractions/user-download>
  include <abstractions/private-files-strict>

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  # required for the pager (less, more) to work
  file Cx /usr/bin/dash,

  # allow read on anything on @{HOME} not explicitly denied
  owner file r @{HOME},
  owner file r @{HOME}/**,
  # Explicitly allow ~/.netrc, otherwise denied by private-files-strict
  priority=1 owner file r @{HOME}/.netrc,

  # Sub-profile for the pager to work
  profile dash /usr/bin/dash {
    include <abstractions/base>
    network (send, receive) inet stream,
    network (send, receive) inet6 stream,

    file Px /usr/bin/more -> tnftp//dash//more,
    file mr /usr/bin/dash,
  }

  # Ideally this would be a subprofile of "dash".
  # Defined as sub profile of tnftp for backwards compatibility.
  profile dash//more {
    include <abstractions/base>
    include <abstractions/terminfo>
    network (send, receive) inet stream,
    network (send, receive) inet6 stream,

    file mr /usr/bin/more,
  }

  # required for the ! command to work.
  # here we are restricting execution to files in a limited set of
  # directories, for which we also deny write access.
  file Cx @{tnftp_rx}/* -> cmds,
  audit deny file w @{tnftp_rx}/*,
  
  profile cmds {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/user-tmp>
    include <abstractions/user-download>
    include <abstractions/private-files-strict>

    # prevent network access
    deny network,

    file ixmr @{tnftp_rx}/*,
    audit deny file w @{tnftp_rx}/*,

    # allow read on anything on @{HOME} not explicitly denied
    owner file r @{HOME},
    owner file r @{HOME}/**,
  }

  include if exists <local/tnftp>
}
