# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/sddm
profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bash>
  include <abstractions/dri-common>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/wutmp>
  include <abstractions/X-strict>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_resource,
  capability sys_tty_config,

  network netlink raw,

  ptrace (read),
  ptrace (trace) peer=@{profile_name},

  signal (send) set=(term) peer=kwin_wayland,
  signal (send) set=(kill, term) peer=startplasma,
  signal (send) set=(term) peer=startplasma-wayland,
  signal (send) set=(term) peer=sddm-greeter,
  signal (send) set=(kill, term) peer=xorg,

  @{exec_path} mr,

  @{lib}/@{multiarch}/sddm/sddm-helper      rix,
  @{lib}/plasma-dbus-run-session-if-needed  rix,
  @{lib}/sddm/sddm-helper                   rix,
  @{lib}/sddm/sddm-helper-start-wayland     rix,
  @{lib}/sddm/sddm-helper-start-x11user     rix,


  @{bin}/{,ba,da}sh    rix,
  @{bin}/cat           rix,
  @{bin}/checkproc     rix,
  @{bin}/disable-paste rix,
  @{bin}/pidof         rix,
  @{bin}/tr            rix,
  @{bin}/tty           rix,
  @{bin}/xdm            r,
  @{bin}/xmodmap       rix,

  @{bin}/kwin_wayland rPUx,
  @{bin}/sddm-greeter rPx,
  @{bin}/Xorg         rPx,
  /etc/sddm/Xsession  rPx,

  @{bin}/flatpak      rPx,
  @{bin}/sway        rPUx,
  @{bin}/xauth        rCx -> xauth,
  @{bin}/xsetroot     rPx,

  @{bin}/dbus-update-activation-environment rCx -> dbus,
  @{bin}/gnome-keyring-daemon rPx,
  @{bin}/kwalletd5            rPx,
  @{bin}/startplasma-wayland  rPx,
  @{bin}/startplasma-x11      rPx,
  @{bin}/systemctl            rPx -> child-systemctl,
  @{bin}/xrdb                 rPx,
  @{bin}/xset                 rPx,
  @{etc_ro}/X11/xdm/Xsession  rPx,

  /usr/etc/X11/xdm/Xsetup                 rix,
  /usr/share/sddm/scripts/wayland-session rix,
  /usr/share/sddm/scripts/Xsession        rix,
  /usr/share/sddm/scripts/Xsetup          rix,
  /usr/share/sddm/scripts/Xstop           rix,

  /usr/share/desktop-base/softwaves-theme/login/*.svg r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/plasma/desktoptheme/** r,
  /usr/share/sddm/faces/.*.icon r,
  /usr/share/sddm/themes/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xsessions/{,*.desktop} r,
  /var/lib/AccountsService/icons/*.icon r,

  /etc/X11/xinit/xinitrc.d/{,*} r,

  /{usr/,}etc/environment r,
  /{usr/,}etc/security/limits.d/{,*.conf} r,
  /{usr/,}etc/X11/Xmodmap r,
  /etc/debuginfod/{,*} r,
  /etc/default/locale r,
  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/sddm.conf r,
  /etc/sddm.conf.d/{,*} r,
  /etc/shells r,
  /etc/sysconfig/displaymanager r,

  / r,

  /var/lib/lastlog/ r,
  /var/lib/lastlog/* rwk,

        /var/lib/sddm/state.conf rw,
  owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
  owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,
  owner /var/lib/sddm/** rw,

  owner @{HOME}/.local/ w,
  owner @{HOME}/.Xauthority rw,

  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/menus/{,**} r,
  owner @{user_config_dirs}/startkderc r,

  owner @{user_share_dirs}/ w,
  owner @{user_share_dirs}/kwalletd/ rw,
  owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
  owner @{user_share_dirs}/sddm/ w,
  owner @{user_share_dirs}/sddm/wayland-session.log w,
  owner @{user_share_dirs}/sddm/xorg-session.log w,

        /tmp/sddm-* rw,
        /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
  owner /tmp/*/{,s} rw,
  owner /tmp/#@{int} rw,
  owner /tmp/sddm-auth* rw,

        @{run}/faillock/[a-zA-z0-9]* rwk,
        @{run}/sddm.pid rw,
        @{run}/sddm/\{@{uuid}\} rw,
        @{run}/sddm/#@{int} rw,
        @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
        @{run}/systemd/sessions/*.ref rw,
        @{run}/user/@{uid}/xauth_@{rand6} rwl,
  owner @{run}/sddm/ rw,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kwallet5.socket rw,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,

        @{PROC}/ r,
        @{PROC}/uptime r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/1/limits r,

  /dev/tty@{int} rw,
  /dev/tty rw,

  profile xauth {
    include <abstractions/base>

    @{bin}/xauth mr,

    owner @{HOME}/.Xauthority-c  w,
    owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
    owner @{HOME}/.Xauthority-n rw,
    owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,

    owner @{user_share_dirs}/sddm/xorg-session.log w,

    owner @{run}/sddm/\{@{uuid}\}-c  w,
    owner @{run}/sddm/\{@{uuid}\}-l  wl -> @{run}/sddm/\{@{uuid}\}-c,
    owner @{run}/sddm/\{@{uuid}\}-n rw,
    owner @{run}/sddm/\{@{uuid}\}   rwl -> @{run}/sddm/\{@{uuid}\}-n,

    include if exists <local/sddm_xauth>
  }

  profile dbus {
    include <abstractions/base>

    @{bin}/dbus-update-activation-environment mr,

    owner @{user_share_dirs}/sddm/xorg-session.log w,

    include if exists <local/sddm_dbus>
  }

  include if exists <local/sddm>
}