# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>

  network inet stream, # TODO: local only
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,
  signal (receive) set=(term hup kill) peer=gnome-session-binary,

  @{exec_path} mr,

  @{bin}/dbus-broker-launch rPUx,
  @{bin}/dbus-daemon         rix,
  @{lib}/at-spi2-registryd   rPx,

  /usr/share/dbus-1/accessibility-services/ r,
  /usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/at-spi2/accessibility.conf r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /var/lib/lightdm/.Xauthority r,
  /var/log/lightdm/seat[0-9]*-greeter.log w,

  @{run}/systemd/users/@{uid} r,

  @{sys}/kernel/security/apparmor/.access rw,
  @{sys}/kernel/security/apparmor/features/dbus/mask r,
  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/oom_score_adj r,
        @{PROC}/@{pids}/mounts r,
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/attr/apparmor/current r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,

  owner /dev/tty@{int} rw,

  include if exists <local/at-spi-bus-launcher>
}