From 8da557ba0462ee2d6aaa8b6f95bb4b6902bce90c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 24 Jun 2024 18:01:41 +0100
Subject: [PATCH] feat(profile): add totem.

---
 apparmor.d/profiles-s-z/totem | 85 +++++++++++++++++++++++++++++++++++
 dists/flags/main.flags        |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/totem

diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem
new file mode 100644
index 000000000..c75cea7ff
--- /dev/null
+++ b/apparmor.d/profiles-s-z/totem
@@ -0,0 +1,85 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/totem
+profile totem @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/common/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/user-download-strict>
+
+  network netlink raw,
+
+  signal (send) set=(kill) peer=totem//bwrap,
+
+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem
+  #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
+  #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
+  @{exec_path} mr,
+
+  @{bin}/bwrap rCx -> bwrap,
+
+  /usr/share/xml/iso-codes/{,**} r,
+  /usr/share/grilo-plugins/{,**} r,
+  /usr/share/thumbnailers/{,**} r,
+
+  owner @{user_music_dirs}/{,**} rw,
+  owner @{user_pictures_dirs}/{,**} rw,
+  owner @{user_torrents_dirs}/{,**} rw,
+  owner @{user_videos_dirs}/{,**} rw,
+
+  owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/{,**} r,
+  owner @{user_share_dirs}/grilo-plugins/ rw,
+  owner @{user_share_dirs}/grilo-plugins/** rwlk,
+
+  owner @{tmp}/flatpak-seccomp-@{rand6} rw,
+  owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
+
+  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
+  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm w,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
+  profile bwrap flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/common/bwrap>
+    include <abstractions/fonts>
+    include <abstractions/freedesktop.org>
+    include <abstractions/gstreamer>
+
+    capability dac_override,
+
+    @{bin}/bwrap mr,
+    @{bin}/totem-video-thumbnailer rix,
+
+    owner @{tmp}/flatpak-seccomp-@{rand6} rw,
+    owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw,
+    owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
+
+          @{PROC}/sys/vm/mmap_min_addr r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm w,
+
+    /dev/ r,
+ 
+    include if exists <local/totem_bwrap>
+  }
+
+  include if exists <local/totem>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 6da4d4bc4..8bb7843b8 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -356,6 +356,7 @@ systemd-udevd attach_disconnected,complain
 systemd-user-sessions complain
 systemd-userwork attach_disconnected,complain
 systemsettings complain
+totem attach_disconnected,complain
 tracker-writeback complain
 udev-dmi-memory-id complain
 udisksctl complain