# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/jami-gnome
profile jami-gnome @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>

  network netlink raw,

  @{exec_path} mr,

  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,

  /usr/share/ring/{,**} r,
  /usr/share/sounds/jami-gnome/{,**} r,

  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/jami-gnome/ rw,
  owner @{user_cache_dirs}/jami-gnome/** rw,

  owner @{user_share_dirs}/jami/ rw,
  owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/,

  owner @{user_config_dirs}/autostart/jami-gnome.desktop w,

  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r,
  owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w,
  owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w,

  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/fs/cgroup/** r,

       owner @{PROC}/@{pid}/statm r,
       owner @{PROC}/@{pid}/smaps r,
  deny owner @{PROC}/@{pid}/cmdline r,
       owner @{PROC}/@{pid}/cgroup r,
             @{PROC}/zoneinfo r,

  include if exists <local/jami-gnome>
}

# vim:syntax=apparmor