# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for unconfined programs

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /**
profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/consoles>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/shells>
  include <abstractions/ssl_certs>
  include <abstractions/video>

  capability dac_override,
  capability dac_read_search,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,

  signal (receive) set=(hup),

  @{bin}/bwrap           rPx -> bwrap,
  @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
  @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
  @{bin}/su              rPx -> default-sudo,
  @{bin}/sudo            rPx -> default-sudo,
  @{bin}/systemctl       rix,
  @{coreutils_path}      rix,
  @{shells_path}         rix,

  @{pager_path}          rPx -> child-pager,

#   @{open_path}           rPx -> child-open,

  audit @{bin}/**        Pix,
  audit @{lib}/**        Pix,
  audit /opt/*/**        Pix,
  audit /usr/share/*/*   Pix,

  @{bin}/{,**} r,
  @{lib}/{,**} r,
  /usr/share/** r,

  /etc/xdg/** r,

  # Full access to user's data
  / r,
  /*/ r,
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/** rwl,
  owner @{HOME}/{,**} rwlk,
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{tmp}/{,**} rwk,
  owner @{run}/user/@{uid}/{,**} rwlk,

  @{run}/motd.dynamic.new rw,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad

  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*

  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/bus/pci/devices/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,

        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/zoneinfo r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/environ r,
  owner @{PROC}/@{pids}/task/ r,

        /dev/ r,
        /dev/ptmx rwk,
        /dev/tty rwk,
  owner /dev/tty@{int} rw,

  include if exists <usr/default.d>
  include if exists <local/default>
}

# vim:syntax=apparmor