# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/flatpak-portal
profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/nameservice-strict>

  capability sys_ptrace,

  network netlink raw,

  ptrace read,

  signal send,

  #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak

  @{exec_path} mr,

  @{bin}/flatpak rPx,

  /usr/share/mime/mime.cache r,
  /usr/share/xdg-desktop-portal/portals/{,*.portal} r,

  /var/lib/flatpak/exports/share/mime/mime.cache r,

  owner /att/**/ r,
  owner @{att}/.flatpak-info r,

  owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw,
  owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,

  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_share_dirs}/mime/mime.cache r,

  owner @{run}/user/@{uid}/.flatpak/@{int}/* r,
  owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r,

  include if exists <local/flatpak-portal>
}

# vim:syntax=apparmor