# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path}  = /{usr/,}bin/font-manager
profile font-manager @{exec_path} {
  include <abstractions/base>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/gstreamer>
  include <abstractions/ssl_certs>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} r,

  /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitWebProcess     rix,
  /{usr/,}lib/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,

  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/font-manager/ rw,
  owner @{user_cache_dirs}/font-manager/* rwk,

  owner @{user_config_dirs}/font-manager/ rw,
  owner @{user_config_dirs}/font-manager/* rw,

  owner @{user_config_dirs}/fontconfig/ rw,
  owner @{user_config_dirs}/fontconfig/conf.d/ rw,
  owner @{user_config_dirs}/fontconfig/conf.d/* rw,

  owner @{user_share_dirs}/fonts/ rw,
  owner "@{user_share_dirs}/fonts/Google Fonts/" rw,
  owner "@{user_share_dirs}/fonts/Google Fonts/**" rw,

  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/smaps r,
        @{PROC}zoneinfo r,

  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/fs/cgroup/{,**} r,

  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

  # Silencer
       owner /var/cache/fontconfig/ w,
  deny       /var/cache/fontconfig/ w,

  include if exists <local/font-manager>
}