# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{name} = discord
@{domain} = org.chromium.Chromium
@{lib_dirs} = /usr/share/@{name} /opt/@{name}
@{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
@{cache_dirs} = @{user_cache_dirs}/@{name}

@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB}
profile discord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/electron>
  include <abstractions/screensaver>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mrix,
  @{sh_path}    rix,

  @{lib_dirs}/chrome-sandbox rix,
  @{lib_dirs}/chrome_crashpad_handler rix,

  @{bin}/lsb_release   rPx,
  @{bin}/xdg-mime      rPx,
  @{open_path}         rPx -> child-open-strict,

  /etc/ r,
  /etc/lsb-release r,

  owner @{user_videos_dirs}/{,**} rwl,
  owner @{user_pictures_dirs}/{,**} rwl,

  owner @{config_dirs}/@{version}/modules/** m,

  owner "@{tmp}/Discord Crashes/" rw,
  owner @{tmp}/discord.sock rw,
  owner @{tmp}/net-export/ rw,

  owner @{run}/user/@{uid}/discord-ipc-@{int} rw,

  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/task/@{tid}/comm r,

  deny ptrace read,

  include if exists <local/discord>
}

# vim:syntax=apparmor