# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /usr/share/gdm/generate-config
profile gdm-generate-config @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  capability chown,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  ptrace read,

  @{exec_path} mr,

  @{sh_path}         rix,
  @{bin}/dconf       rix,
  @{bin}/install     rix,
  @{bin}/pgrep       rix,
  @{bin}/pkill       rix,
  @{bin}/setpriv     rix,
  @{bin}/setsid      rix,

  /etc/gdm{3,}/* r,
  /usr/share/gdm{3,}/{,**} r,

        /var/lib/ r,
        @{GDM_HOME}/ rw,
  owner @{GDM_HOME}/greeter-dconf-defaults rw,
  owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,

  @{PROC}/ r,
  @{PROC}/@{pid}/cgroup r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/tty/drivers r,
  @{PROC}/uptime r,

  include if exists <local/gdm-generate-config>
}

# vim:syntax=apparmor