# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{FT_LIBDIR} =  @{lib}/freetube
@{FT_LIBDIR} += @{lib}/freetube-vue
@{FT_LIBDIR} += /opt/FreeTube
@{FT_LIBDIR} += /opt/FreeTube-Vue

@{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
profile freetube @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/audio>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/chromium-common>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mrix,

  @{FT_LIBDIR}/ r,
  @{FT_LIBDIR}/** r,
  @{FT_LIBDIR}/libffmpeg.so mr,
  @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
  @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
  @{FT_LIBDIR}/chrome-sandbox rPx,

  owner @{HOME}/ r,
  owner @{user_config_dirs}/FreeTube/ rw,
  owner @{user_config_dirs}/FreeTube/** rwk,

  # The /proc/ dir is needed to avoid the following error:
  #   traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in
  #          freetube[56499b8a8000+531e000]
             @{PROC}/ r,
       owner @{PROC}/@{pid}/fd/ r,
  #          @{PROC}/@{pid}/fd/ r,
             @{PROC}/@{pids}/task/ r,
             @{PROC}/@{pids}/task/@{tid}/status r,
  deny       @{PROC}/@{pids}/stat r,
  deny owner @{PROC}/@{pids}/statm r,
  deny owner @{PROC}/@{pid}/cmdline r,
       owner @{PROC}/@{pids}/oom_{,score_}adj r,
  deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
             @{PROC}/sys/kernel/yama/ptrace_scope r,
  deny       @{PROC}/vmstat r,
             @{PROC}/sys/fs/inotify/max_user_watches r,

  /etc/fstab r,

  owner @{user_share_dirs} r,

  deny @{sys}/devices/virtual/tty/tty0/active r,
  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
  # To remove the following error:
  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
  # The irq file is needed to render pages.
  deny @{sys}/devices/pci[0-9]*/**/irq r,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  owner @{run}/user/@{uid}/ r,

  # no new privs
  @{bin}/xdg-settings    rPx,

  @{bin}/xdg-open        rCx -> open,

  # Allowed apps to open
  @{lib}/firefox/firefox rPx,
  @{bin}/mpv             rPx,
  @{bin}/vlc             rPx,

  # file_inherit
  owner /dev/tty[0-9]* rw,


  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>

    @{bin}/xdg-open mr,

    @{bin}/{,ba,da}sh      rix,
    @{bin}/{m,g,}awk       rix,
    @{bin}/readlink        rix,
    @{bin}/basename        rix,

    owner @{HOME}/ r,

    owner @{run}/user/@{uid}/ r,

    # Allowed apps to open
    @{lib}/firefox/firefox rPx,
    @{bin}/mpv             rPx,
    @{bin}/vlc             rPx,

    # file_inherit
    owner @{HOME}/.xsession-errors w,

  }

  include if exists <local/freetube>
}