# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/gajim
profile gajim @{exec_path} {
  include <abstractions/base>
  include <abstractions/X>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/audio>
  include <abstractions/video>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/python>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/gstreamer>
  include <abstractions/enchant>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} r,

  /{usr/,}bin/           r,
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/uname      rix,
  /{usr/,}{s,}bin/ldconfig  rix,

  # To play sounds
  /{usr/,}bin/aplay      rix,
  /{usr/,}bin/pacat      rix,

  # Needed for GPG/PGP support
  /{usr/,}bin/gpg        rCx -> gpg,
  /{usr/,}bin/gpgconf    rCx -> gpg,
  /{usr/,}bin/gpgsm      rCx -> gpg,

  /{usr/,}bin/ccache                 rCx -> ccache,
  /{usr/,}bin/{,@{multiarch}-}ld.bfd rCx -> ccache,

  # External apps
  /{usr/,}bin/xdg-settings    rPx,
  /{usr/,}lib/firefox/firefox rPx,
  /{usr/,}bin/spacefm         rPx,

  # Gajim plugins
  /usr/share/gajim/plugins/{,**} r,

  # Gajim home files
  owner @{HOME}/ r,
  owner @{user_config_dirs}/gajim/ rw,
  owner @{user_config_dirs}/gajim/** rwk,
  owner @{user_share_dirs}/gajim/ rw,
  owner @{user_share_dirs}/gajim/** rwk,

  # Cache
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/gajim/ rw,
  owner @{user_cache_dirs}/gajim/** rwk,

  owner @{HOME}/.cache/farstream/ rw,
  owner @{HOME}/.cache/farstream/codecs.audio.x86_64.cache{,.tmp*} rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/mountinfo r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  /etc/fstab r,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,

  # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
    /var/tmp/ r,
        /tmp/ r,
  owner /tmp/* rw,

  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

  # Silencer
  deny /usr/share/gajim/** w,
  deny /usr/lib/python3/dist-packages/** w,

  profile ccache {
    include <abstractions/base>
    include <abstractions/consoles>

    /{usr/,}bin/ccache mr,

    /{usr/,}lib/llvm-[0-9]*/bin/clang      rix,
    /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
    /{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
    /{usr/,}bin/{,@{multiarch}-}ld.bfd     rix,
    /{usr/,}lib/gcc/@{multiarch}/[0-9]*/collect2 rix,

    owner /tmp/cc* rw,
    owner /tmp/tmp* rw,

    /media/ccache/*/** rw,

    owner @{run}/user/@{uid}/ccache-tmp/ rw,

    /etc/debian_version r,

  }

  profile gpg {
    include <abstractions/base>

    /{usr/,}bin/gpg     mr,
    /{usr/,}bin/gpgconf mr,
    /{usr/,}bin/gpgsm   mr,

    /{usr/,}bin/gpg-agent      rix,
    /{usr/,}lib/gnupg/scdaemon rix,

    # without owner
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/task/@{tid}/comm rw,

    owner @{run}/user/@{uid}/gnupg/d.*/ rw,
    owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

    owner @{HOME}/.local/share/gajim/openpgp/ rw,
    owner @{HOME}/.local/share/gajim/openpgp/** rwkl -> @{HOME}/.local/share/gajim/openpgp/**,

  }

  include if exists <local/gajim>
}