From 56f3332163dbdb8ebb93df0e1efcc3a3eee2e051 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Mon, 15 Jul 2024 18:56:55 -0300
Subject: [PATCH] add profiles for waybar and some hypr utilities (#414)

---
 apparmor.d/groups/hypr/hyprctl    | 21 ++++++++++++++++
 apparmor.d/groups/hypr/hyprlock   | 37 ++++++++++++++++++++++++++++
 apparmor.d/groups/hypr/hyprpaper  | 31 +++++++++++++++++++++++
 apparmor.d/groups/hypr/hyprpicker | 25 +++++++++++++++++++
 apparmor.d/groups/hypr/hyprpm     | 41 +++++++++++++++++++++++++++++++
 apparmor.d/profiles-s-z/waybar    | 34 +++++++++++++++++++++++++
 6 files changed, 189 insertions(+)
 create mode 100644 apparmor.d/groups/hypr/hyprctl
 create mode 100644 apparmor.d/groups/hypr/hyprlock
 create mode 100644 apparmor.d/groups/hypr/hyprpaper
 create mode 100644 apparmor.d/groups/hypr/hyprpicker
 create mode 100644 apparmor.d/groups/hypr/hyprpm
 create mode 100644 apparmor.d/profiles-s-z/waybar

diff --git a/apparmor.d/groups/hypr/hyprctl b/apparmor.d/groups/hypr/hyprctl
new file mode 100644
index 000000000..4c8a72110
--- /dev/null
+++ b/apparmor.d/groups/hypr/hyprctl
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprctl
+
+profile hyprctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/hyprctl>
+}
+
+# vim:syntax=apparmor
+
diff --git a/apparmor.d/groups/hypr/hyprlock b/apparmor.d/groups/hypr/hyprlock
new file mode 100644
index 000000000..9f400c90b
--- /dev/null
+++ b/apparmor.d/groups/hypr/hyprlock
@@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprlock
+
+profile hyprlock @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/fonts>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/security/faillock.conf r,
+  /etc/shells r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
+  owner @{user_pictures_dirs}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprlock.conf r,
+
+  owner @{run}/faillock/@{user} rwk,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/hyprlock>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/hypr/hyprpaper b/apparmor.d/groups/hypr/hyprpaper
new file mode 100644
index 000000000..616ff6c57
--- /dev/null
+++ b/apparmor.d/groups/hypr/hyprpaper
@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpaper
+
+profile hyprpaper @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/icons/** r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprpaper.conf r,
+
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/.hyprpaper* rw,
+  owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w,
+  owner @{run}/user/@{uid}/hyprpaper.lock rw,
+
+  include if exists <local/hyprpaper>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/hypr/hyprpicker b/apparmor.d/groups/hypr/hyprpicker
new file mode 100644
index 000000000..bbeb59a71
--- /dev/null
+++ b/apparmor.d/groups/hypr/hyprpicker
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpicker
+
+profile hyprpicker @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+  @{bin}/wl-copy Px,
+
+  /usr/share/icons/** r,
+
+  owner @{run}/user/@{uid}/.hyprpicker* rw,
+
+  include if exists <local/hyprpicker>
+}
+
+# vim:syntax=apparmor
+
diff --git a/apparmor.d/groups/hypr/hyprpm b/apparmor.d/groups/hypr/hyprpm
new file mode 100644
index 000000000..77c6bfe69
--- /dev/null
+++ b/apparmor.d/groups/hypr/hyprpm
@@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpm
+
+profile hyprpm @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-tmp>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  @{bin}/** rix,
+  @{lib}/gcc/** rix,
+  @{lib}/git-core/** rix,
+
+  /usr/include/** r,
+  /usr/share/git-core/** r,
+  /usr/share/pkgconfig/** r,
+
+  owner @{HOME}/.gitconfig r,
+
+  owner @{user_share_dirs}/hyprpm/{,**} rw,
+
+  /tmp/hyprpm/** rw,
+
+  include if exists <local/hyprpm>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
new file mode 100644
index 000000000..b740485fd
--- /dev/null
+++ b/apparmor.d/profiles-s-z/waybar
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/waybar
+
+profile waybar @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/** rPUx,
+  @{user_bin_dirs}/** rPUx,
+
+  owner @{user_config_dirs}/waybar/{,**} r,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/waybar>
+}
+
+# vim:syntax=apparmor