# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,gdm/}gdm-session-worker
profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_nice,
  capability sys_resource,
  capability sys_tty_config,

  signal (receive) set=term peer=gdm,
  signal (send) set=hup peer=at-spi*,
  signal (send) set=hup peer=dbus-daemon,
  signal (send) set=hup peer=dbus-run-session,
  signal (send) set=hup peer=gjs-console,
  signal (send) set=hup peer=gnome-*,
  signal (send) set=hup peer=gsd-*,
  signal (send) set=hup peer=ibus-*,
  signal (send) set=hup peer=xorg,
  signal (send) set=hup peer=xwayland,
  signal (send) set=hup peer=xdg-permission-store,
  signal (send) set=hup peer=tracker-miner,
  signal (send) set=term peer=gdm-*-session,

  network netlink raw,

  dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
       interface=org.freedesktop.{DBus.Properties,Accounts*}
       member={GetAll,FindUserByName,SetLanguage,Changed,PropertiesChanged},

  dbus receive bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
       member=UserAdded
       peer=(name=:*, label=accounts-daemon),

  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
       member={CreateSession,ReleaseSession},

  @{exec_path} mrix,

  @{bin}/gnome-keyring-daemon             rPx,
  @{lib}/{,gdm/}gdm-wayland-session       rPx,
  @{lib}/{,gdm/}gdm-x-session             rPx,
  /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
  /etc/gdm{3,}/PostLogin/Default          rix,
  /etc/gdm{3,}/PrimeOff/Default           rix,
  @{etc_ro}/X11/xdm/Xstartup             rPUx,

  /usr/share/gdm/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
  /etc/default/locale r,
  /etc/gdm{3,}/custom.conf r,
  /etc/gdm{3,}/daemon.conf r,
  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/motd r,
  /etc/motd.d/ r,
  /etc/shells r,
  /etc/sysconfig/displaymanager r,
  /etc/sysconfig/windowmanager r,

  owner @{HOME}/.pam_environment r,

  owner @{run}/user/@{uid}/keyring/control rw,

  @{run}/cockpit/active.motd r,
  @{run}/faillock/[a-zA-z0-9]* rwk,
  @{run}/gdm{3,}/custom.conf r,
  @{run}/motd.d/{,*} r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/utmp rwk,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
  owner @{PROC}/@{pid}/uid_map r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/1/limits r,
        @{PROC}/keys r,

  /dev/tty rw,
  /dev/tty[0-9]* rw,

  include if exists <local/gdm-session-worker>
}