# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,gdm/}gdm-{x,wayland}-session
profile gdm-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.gnome.DisplayManager>
  include <abstractions/bus/session/org.freedesktop.systemd1>

  signal receive set=(hup term) peer=gdm-session-worker,
  signal receive set=(term) peer=gdm,
  signal send    set=(term) peer=dbus-session,
  signal send    set=(term) peer=gnome-session-binary,
  signal send    set=(term) peer=xorg,
  signal send    set=term   peer=gnome-session,

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,

  @{bin}/env                        rix,
  @{bin}/gnome-session              rPx,
  @{bin}/dbus-run-session           rPx -> dbus-session,
  @{bin}/dbus-daemon                rPx -> dbus-session,

  # only: xorg
  @{bin}/Xorg                       rPx,
  /etc/gdm{3,}/Prime/Default        rPx,
  /etc/gdm{3,}/Xsession             rPx,

  /usr/share/gdm{3,}/gdm.schemas r,

  /etc/gdm{3,}/custom.conf r,
  /etc/gdm{3,}/daemon.conf r,
  /etc/sysconfig/displaymanager r,

  owner @{gdm_cache_dirs}/gdm/ rw,
  owner @{gdm_cache_dirs}/gdm/Xauthority rw,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{GDM_HOME}/greeter-dconf-defaults r,

        @{run}/gdm{3,}/custom.conf r,
  owner @{run}/user/@{uid}/gdm/ w,
  owner @{run}/user/@{uid}/gdm/Xauthority rw,  # only: xorg

  /dev/tty@{int} rw,

  include if exists <local/gdm-session>
}

# vim:syntax=apparmor