1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# AppArmor profile for Forge-Code AI terminal
# Location: /etc/apparmor.d/forge-code
#
# To enable:
# sudo cp forge-code.apparmor /etc/apparmor.d/forge-code
# sudo apparmor_parser -r /etc/apparmor.d/forge-code
# sudo aa-enforce /etc/apparmor.d/forge-code
#
# This profile is PERMISSIVE by default — install, test, then enforce.
#include <tunables/global>
/usr/bin/forge-code {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/user-tmp>
#include <abstractions/audio>
#include <abstractions/dbus-session-strict>
#include <abstractions/dbus-accessibility-strict>
# Forge-Code installation directory (read-only)
/usr/bin/forge-code r,
/usr/bin/forge rix,
# User configuration and state
owner @{HOME}/.forge/** rwk,
owner @{HOME}/.config/forge-code/** rwk,
owner @{HOME}/.cache/forge-code/** rwk,
owner @{HOME}/.local/share/forge-code/** rwk,
# System libraries
/usr/lib/** rm,
/usr/share/** r,
/etc/fonts/** r,
/etc/ssl/** r,
/etc/ca-certificates/** r,
# Proc and sys — minimal
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/stat r,
# Network — required for AI provider API calls
network inet stream,
network inet6 stream,
network netlink raw,
# IPC
/dev/shm/** rw,
owner /run/user/*/ d,
owner /run/user/*/writable rw,
# Git operations
/usr/bin/git ixr,
owner @{HOME}/.gitconfig r,
# Editor access (for :edit command)
/usr/bin/{vim,nvim,nano,code,subl} ix,
/usr/bin/{$EDITOR,$VISUAL} ix,
# fzf (for :conversation picker)
/usr/bin/fzf ix,
# Deny sensitive paths
deny /boot/** rw,
deny /sys/firmware/** rw,
deny /etc/shadow r,
deny /etc/gshadow r,
deny /root/** rw,
deny /home/*/.ssh/** r,
}
|