# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gnome-shell
profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/video>

  capability sys_nice,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,

  ptrace (read),
  ptrace (readby) peer=pipewire,

  signal (receive) set=(term, hup) peer=gdm*,
  signal (send),

  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),
  unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

  # Owned by gnome-shell

  #aa:dbus own bus=session name=org.gnome.keyring.SystemPrompter
  #aa:dbus own bus=session name=org.gnome.Mutter
  #aa:dbus own bus=session name=org.gnome.Shell

  #aa:dbus own bus=session name=com.canonical.{U,u}nity
  #aa:dbus own bus=session name=com.rastersoft.dingextension
  #aa:dbus own bus=session name=org.ayatana.NotificationItem
  #aa:dbus own bus=session name=org.gtk.Actions path=/**
  #aa:dbus own bus=session name=org.gtk.MountOperationHandler
  #aa:dbus own bus=session name=org.gtk.Notifications
  #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher

  # Talk with gnome-shell

  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
  #aa:dbus talk bus=session name=org.gnome.* label=gnome-*
  #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
  #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus

  # System bus

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=RegisterAuthenticationAgent
       peer=(name=:*, label=polkitd),
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
       member=BeginAuthentication
       peer=(name=:*, label=polkitd),

  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       member={RegisterWithCapabilities,Unregister}
       peer=(name=:*, label=NetworkManager),

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

  # Session bus

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
       peer=(name=org.a11y.atspi.Registry),

  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=:*, label="@{p_systemd_user}"),

  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
       member={AboutToShow,GetLayout,GetGroupProperties}
       peer=(name=:*),

  dbus send bus=session path=/StatusNotifierItem
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*),
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  @{exec_path} mr,

  @{bin}/unzip                  rix,

  @{bin}/gjs-console            rPx,
  @{bin}/glib-compile-schemas   rPx,
  @{bin}/ibus-daemon            rPx,
  @{bin}/Xwayland               rPx,
  @{bin}/tecla                  rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
  @{lib}/mutter-x11-frames      rPx,
  #aa:exec polkit-agent-helper

  @{sh_path}                                              rCx -> shell,
  @{lib}/gio-launch-desktop                               rCx -> open,
  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,

  @{user_share_dirs}/gnome-shell/extensions/*/**       rPUx,
  /usr/share/gnome-shell/extensions/*/**               rPUx,

  /opt/**/share/icons/{,**} r,
  /snap/*/@{uid}/**.png r,
  /usr/share/**.{png,jpg,svg} r,
  /usr/share/**/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-directories/{,*.directory} r,
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput*/{,**} r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/poppler/{,**} r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,
  @{system_share_dirs}/gnome-shell/{,**} r,

  /etc/fstab r,
  /etc/timezone r,
  /etc/tpm2-tss/*.json r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/AccountsService/icons/* r,

  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/appstream/**/icons/** r,

  owner @{att}/ r,
  owner @{att}/.flatpak-info r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_cache_dirs}/ w,
  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
  owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{gdm_cache_dirs}/libgweather/ r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
  owner @{gdm_share_dirs}/icc/ rw,
  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.mozilla/native-messaging-hosts/ r,
  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw,
  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw,
  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,

  owner @{user_games_dirs}/**.{png,jpg,svg} r,
  owner @{user_music_dirs}/**.{png,jpg,svg} r,

  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/background r,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/tiling-assistant/{,**} rw,

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw,
  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
  owner @{user_cache_dirs}/libgweather/{,**} rw,
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner @{tmp}/.org.chromium.Chromium.@{rand6} r,
  owner @{tmp}/@{rand6}.shell-extension.zip rw,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,

  @{run}/udev/tags/seat/ r,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+dmi:id r,             # for motherboard info
  @{run}/udev/data/+acpi* r,
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+sound:card@{int} r,   # for sound card
  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
  @{run}/udev/data/+i2c:* r,
  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
  @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
  @{run}/udev/data/n@{int} r,

  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,

  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

        /dev/media@{int} rw,
        /dev/tty@{int} rw,
  @{att}/dev/dri/card@{int} rw,
  @{att}/dev/input/event@{int} rw,

  profile shell flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/base>

    capability sys_ptrace,

    ptrace (read),

    @{sh_path} mr,

    @{bin}/pmap rix,
    @{bin}/grep rix,

    @{sys}/devices/system/node/ r,

          @{PROC}/uptime r,
    owner @{PROC}/@{pid}/cmdline r,
    owner @{PROC}/@{pid}/stat r,

    /dev/tty rw,

    include if exists <local/gnome-shell_shell>
  }

  profile open flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/mesa>

    network inet stream,
    network unix stream,

    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  mr,
    @{lib}/gio-launch-desktop                               mr,

    @{lib}/**                     PUx,
    @{bin}/**                     PUx,
    /opt/*/**                     PUx,
    /usr/share/*/**               PUx,
    /usr/local/bin/**             PUx,
    /usr/games/**                 PUx,

    owner @{user_share_dirs}/gnome-shell/session.gvdb rw,

    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/gnome-shell_open>
  }

  include if exists <local/gnome-shell>
}

# vim:syntax=apparmor