# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/gnome-shell
profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome>
  include <abstractions/ibus>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-intel>
  include <abstractions/opencl-mesa>
  include <abstractions/opencl-nvidia>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/vulkan>
  include <abstractions/X-strict>

  capability sys_nice,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  ptrace (read),

  signal (receive) set=(term, hup) peer=gdm*,
  signal (send),
 
  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),

  dbus (send,receive) bus=system,
  dbus (send,receive) bus=session,
  dbus bind bus=session name=org.gnome.*,

  @{exec_path} mr,

  /{usr/,}bin/Xwayland        rPx,
  @{libexec}/polkit-1/polkit* rPx,
  @{libexec}/*                rPUx,

  /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js rPx,

  /opt/*/**/*.png r,
  /snap/*/@{uid}/**.png r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-directories/{,*.directory} r,
  /usr/share/egl/{,**} r,
  /usr/share/evolution-data-server/icons/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput/ r,
  /usr/share/libinput/[0-9][0-9]-*.quirks r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/plymouth/*.png r,
  /usr/share/ubuntu/applications/{,*.desktop} r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,

  /.flatpak-info r,
  /etc/fstab r,
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/gdm{3,}/.cache/ w,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex} rw,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/@{hex}.tmp rwk,
  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.config/ibus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/ rw,
  /var/lib/gdm{3,}/.config/ibus/bus/@{hex}-unix-{,wayland-}[0-9] r,
  /var/lib/gdm{3,}/.config/pulse/ r,
  /var/lib/gdm{3,}/.config/pulse/client.conf r,
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,
  /var/lib/gdm{3,}/.local/share/applications/{,**} r,
  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/exports/share/gnome-shell/{,**} r,

  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,

  owner @{user_music_dirs}/**/*.jpg r,

  owner @{user_config_dirs}/.goutputstream{,*} rw,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/libgweather/{,**} r,
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
  owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,

  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

  owner /tmp/.X[0-9]-lock rw,
  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat[0-9]* r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  @{run}/udev/tags/seat/ r,

  @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
  @{run}/udev/data/+platform* r,
  @{run}/udev/data/+dmi:id r,
  @{run}/udev/data/+acpi* r,
  @{run}/udev/data/+pci* r,         # for VGA compatible controller
  @{run}/udev/data/+sound:card* r,  # for sound
  @{run}/udev/data/+usb* r,         # for USB mouse and keyboard
  @{run}/udev/data/+i2c:* r,
  @{run}/udev/data/+hid* r,         # for HID-Compliant Keyboard
  @{run}/udev/data/c10:[0-9]* r,
  @{run}/udev/data/c13:[0-9]* r,    # for /dev/input/*
  @{run}/udev/data/c189:[0-9]*  r,  # for /dev/bus/usb/**
  @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
  @{run}/udev/data/n[0-9]* r,

  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/pci[0-9]*/**/boot_vga r,
  @{sys}/devices/pci[0-9]*/**/drm/ r,
  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
  @{sys}/devices/system/cpu/possible r,
  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,

  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/stat r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,

  /dev/input/event[0-9]* rw,
  /dev/tty[0-9]* rw,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/gnome-shell>
}