# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path}  = /{usr/,}bin/virt-manager
@{exec_path} += /usr/share/virt-manager/virt-manager
profile virt-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gstreamer>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>

  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} rix,

  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/python3.[0-9]* r,
  /{usr/,}lib/python3.[0-9]*/site-packages/__pycache__/guestfs.cpython-[0-9]*.pyc.[0-9]* w,

  /{usr/,}bin/ r,
  /{usr/,}bin/env       rix,
  /{usr/,}bin/getfacl   rix,
  /{usr/,}bin/setfacl   rix,

  /{usr/,}{s,}bin/libvirtd                      rPx,
  /{usr/,}lib/spice-client-glib-usb-acl-helper  rPx,

  /usr/share/egl/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gtksourceview-4/{,**} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
  /usr/share/misc/*.ids r,
  /usr/share/osinfo/{,**} r,
  /usr/share/virt-manager/{,**} r,
  /usr/share/virtio/{,*} r,
  /var/lib/usbutils/*.ids r,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  /etc/fstab r,
  /etc/libnl/classid r,
  /etc/libva.conf r,

  owner @{HOME}/ r,
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/virt-manager/ rw,
  owner @{user_cache_dirs}/virt-manager/** rw,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  # For disk images
  @{MOUNTS}/ r,
  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
  @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
  @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,

  # System VM images
  /var/lib/libvirt/images/{,**} rw,

  # User VM images
  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/libvirt/{,**} rw,
  owner @{user_vm_dirs}/{,**} rw,

  owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
        @{run}/mount/utab r,
        @{run}/udev/data/c51[0-9]:[0-9]* r,

  @{sys}/devices/pci[0-9]*/**/drm/ r,
  @{sys}/devices/virtual/drm/ttm/uevent r,

  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/net/route r,

  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,

  # Silence the noise
  deny /usr/share/virt-manager/{,**} w,

  include if exists <local/virt-manager>
}