# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/xdg-desktop-portal
profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-open>
  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/trash-strict>
  include <abstractions/user-download-strict>

  capability sys_ptrace,

  network netlink raw,

  ptrace read,

  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,

  #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
  dbus receive bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
       member=MakeThread*
       peer=(name=:*),

  #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor

  #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,

  @{sh_path}         rix,
  @{bin}/nautilus    rPx,

  @{bin}/kreadconfig{,5}                  rPx,
  @{lib}/xdg-desktop-portal-validate-icon rPx,
  @{open_path}                            rPx -> child-open,

              / r,
        @{att}/.flatpak-info r,
  owner @{att}/ r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
  /usr/share/gdm/greeter-dconf-defaults r,

  /etc/sysconfig/proxy r,

        @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/user-dirs.dirs r,

        @{user_config_dirs}/kioslaverc r,
  owner @{user_config_dirs}/xdg-desktop-portal/* r,
  owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw,

  owner @{tmp}/icon@{rand6} rw,

  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,

  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,

        @{PROC}/ r,
        @{PROC}/*/ r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,
  owner @{PROC}/@{pids}/cgroup r,

  /dev/tty rw,

  include if exists <local/xdg-desktop-portal>
}

# vim:syntax=apparmor