would an apparmor profile for radicle-node be useful?
After getting radicle set up and figuring out running radicle-node as my current user, I thought it might be useful to lock the node process down quite tightly.
This is my current stab at a profile and I've been able to seed a repository, view issues, and if this works create an issue.
usr.bin.radicle-node
#include <tunables/global>
/usr/bin/radicle-node {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
/usr/bin/radicle-node mr,
/usr/bin/git ix,
/etc/gitconfig rk,
owner @{HOME}/.radicle/{,**} rwk,
owner @{HOME}/.gitconfig rwk,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.local/share/sequoia/{,**} mrwkl,
}
Apparently that first profile missed radicle-node needs to run some other things out of git-core, so I needed to add this before it would synchronize the issue. Also rad issue edit didn't seem to work. I'm not sure if that's expected, but here's a try at a comment.
/usr/lib/git-core/** ix,