# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/xkbcomp
profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/mesa>
  include <abstractions/X-strict>

  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),

  @{exec_path} mr,

  /usr/share/X11/xkb/** r,

  /var/lib/xkb/server-@{int}.xkm w,
  /var/lib/xkb/compiled/server-@{int}.xkm rw,

  owner @{HOME}/*.{xkb,xkm} rw,

  owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,

        /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w,
  owner /var/log/lightdm/x-@{int}.log w,

  owner @{run}/user/@{uid}/server-@{int}.xkm rwk,

  owner @{tmp}/server-@{int}.xkm rwk,

  /dev/dri/card@{int} rw,
  /dev/fb@{int} rw,
  /dev/tty rw,
  /dev/tty@{int} rw,

  deny /dev/input/event@{int} rw,
  deny /var/log/Xorg.@{int}.log w,

  include if exists <local/xkbcomp>
}

# vim:syntax=apparmor