# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/rpi-imager
profile rpi-imager @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/disks-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/openssl>
  include <abstractions/qt5-shader-cache>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>

  #capability sys_admin,
  # deny capability sys_nice,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,

  @{exec_path} mr,

  @{bin}/lsblk rPx,

  /etc/fstab r,
  /etc/X11/cursors/*.theme r,
  /usr/share/hwdata/pnp.ids r,
  /usr/share/qt5ct/** r,
  /usr/share/X11/xkb/{,**} r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  owner "@{user_cache_dirs}/Raspberry Pi/" rw,
  owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
  owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
  owner @{user_cache_dirs}/ rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,
  owner @{user_config_dirs}/QtProject.conf r,

  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/disk/by-label/ r,

  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <local/rpi-imager>
}