#------------------------------------------------------------------
#    Copyright (C) 2025 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
# vim: ft=apparmor

abi <abi/5.0>,

include <tunables/global>

profile curl /usr/bin/curl {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/private-files-strict>
  include <abstractions/ssl_certs>

  #can read/write data and configs from tmp
  include <abstractions/user-tmp>

  @{exec_path} mr,

  # allow reading configuration files from $HOME
  priority=1 owner file r @{HOME}/.curlrc,
  priority=1 owner file r @{HOME}/.config/curlrc,

  # allow reading other configuration files/certs from $HOME
  # (see --config, --cacert options)
  # allow writing output to $HOME, /tmp (see -o option)
  owner file rw @{HOME}/**,

  # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
  network unix stream,
  network unix dgram,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,

  # Allow access to the snap socket until we can revisit it with delegation
  # or profile refactoring
  file rw @{run}/snapd.socket,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/curl>
}
