# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gimp{,-*}
profile gimp @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/thumbnails-cache-write>
  include <abstractions/user-download-strict>

  signal (send) set=(term, kill) peer=xsane-gimp,

  #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  @{exec_path} mr,

  @{bin}/env rix,
  @{bin}/gjs-console rix,
  @{bin}/lua rix,
  @{lib}/gimp/@{version}/extensions/*/* rix,
  @{lib}/gimp/*/plug-ins/** rix,
  @{python_path} rix,

  @{bin}/xsane-gimp rPx,
  @{open_path}      rPx -> child-open-help,

  /usr/share/gimp/{,**} r,
  /usr/share/mypaint-data/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

  /etc/fstab r,
  /etc/gimp/{,**} r,

  owner @{user_documents_dirs}/{,**} rw,
  owner @{user_pictures_dirs}/{,**} rw,
  owner @{user_work_dirs}/{,**} rw,

  owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw,
  owner @{user_cache_dirs}/babl/{,**} rw,
  owner @{user_cache_dirs}/gegl-*/{,**} r,
  owner @{user_cache_dirs}/gegl-*/{,**} r,
  owner @{user_cache_dirs}/gimp/{,**} rw,
  owner @{user_cache_dirs}/GIMP/{,**} rw,

  owner @{user_config_dirs}/gimp/{,**} rw,
  owner @{user_config_dirs}/GIMP/{,**} rw,

  owner @{user_share_dirs}/gegl-*/{,**} r,
  owner @{user_share_dirs}/GIMP/{,**} rw,

  owner @{tmp}/gimp/{,**} rw,

  owner @{PROC}/@{pid}/mountinfo r,

  include if exists <local/gimp>
}

# vim:syntax=apparmor