diff --git a/ncmpcpp b/ncmpcpp new file mode 100644 index 000000000..ccc337fda --- /dev/null +++ b/ncmpcpp @@ -0,0 +1,90 @@ +# apparmor policy for ncmpcpp +# Copyright (C) 2023 Andy Ramos +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ncmpcpp +profile ncmpcpp @{exec_path} { + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{bin}/gedit rCx -> gedit, + @{bin}/nano rCx -> nano, + + @{bin}/nvim rCx -> vim, + @{bin}/vi rCx -> vim, + @{bin}/vim{,.{basic,tiny}} rCx -> vim, + + @{bin}/@{unix_shell} rix, + @{bin}/pgrep rix, + + /etc/inputrc r, + + /usr/share/zoneinfo-icu/ r, + /usr/share/zoneinfo-icu/** r, + + owner @{user_config_dirs}/ncmpcpp/{,**} r, + owner @{user_config_dirs}/ncmpcpp/error.log rw, + owner @{user_share_dirs}/lyrics/{,**} rw, + + owner @{user_music_dirs}/ r, + # w is for tag editor + owner @{user_music_dirs}/** rw, + + /tmp/mpd.fifo r, + + /proc/ r, + /proc/uptime r, + /proc/sys/kernel/osrelease r, + + deny /proc/*/cmdline r, + + + profile gedit { + + include + + owner @{user_share_dirs}/lyrics/{,**} rw, + + include if exists + + } + + profile nano { + + include + + owner @{user_share_dirs}/lyrics/{,**} rw, + + include if exists + + } + + profile vim { + + include + + owner @{user_share_dirs}/nvim/swap/%home%*%.local%share%lyrics%*.swp rwk, + owner @{user_config_dirs}/ncmpcpp/error.log a, + owner @{user_share_dirs}/lyrics/{,**} rw, + + /tmp/mpd.fifo r, + + include if exists + + } + + include if exists +}