# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{name} = spotify @{lib_dirs} = /opt/spotify/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile spotify @{exec_path} { include include include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, @{exec_path} mrix, @{bin}/grep rix, @{lib_dirs}/{,**} r, @{lib_dirs}/*.so* mr, @{open_path} rPx -> child-open, /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwl -> @{config_dirs}/**, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwk -> @{cache_dirs}/**, owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, @{sys}/devices/virtual/dmi/id/product_{name,version} r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/status r, /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists }