# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path}  = /{usr/,}bin/gjs-console
profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
  include <abstractions/vulkan>

  network netlink raw,

  signal (receive) set=(term hup) peer=gdm*,

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),

  dbus send    bus=session path=/org/freedesktop/Notifications
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),

  dbus receive bus=session path=/org/freedesktop/Notifications
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-extension-ding),

  dbus send    bus=session path=/org/gnome/ScreenSaver
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),

  dbus receive bus=session path=/org/gnome/ScreenSaver
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=xdg-desktop-portal-*),

  dbus send    bus=session path=/org/gnome/ScreenSaver
       interface=org.gnome.ScreenSaver
       member=ActiveChanged
       peer=(name=org.freedesktop.DBus, label="{gnome-session-binary,gsd-power,xdg-desktop-portal-gtk}"),

  dbus receive bus=session path=/org/gnome/ScreenSaver
       interface=org.gnome.ScreenSaver
       member={ActiveChanged,WakeUpScreen,GetActive}
       peer=(name=:*, label="{gnome-shell,gnome-session-binary,xdg-desktop-portal-*}"),

  dbus receive bus=session path={/,/org}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  dbus bind bus=session name=org.gnome.ScreenSaver,

  dbus bind bus=session name=org.freedesktop.Notifications,

  dbus bind bus=session name=org.gnome.Shell.Notifications,

  @{exec_path} mr,
  /{usr/,}bin/          r,
  /{usr/,}bin/[a-z0-9]* rPUx,
  @{libexec}/** rPUx,

  /etc/openni2/OpenNI.ini r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/egl/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/X11/xkb/** r,

  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,

  /tmp/ r,
  /var/tmp/ r,

  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,

  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  /dev/ r,
  /dev/tty rw,
  /dev/tty[0-9]* rw,

  include if exists <local/gjs-console>
}