apparmor.d/apparmor.d/groups/_full/bwrap

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for bwrap.

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/bwrap
profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/bwrap>
  include <abstractions/common/app>
  include <abstractions/dbus>
  include <abstractions/fontconfig-cache-write>

  capability dac_override,
  capability dac_read_search,
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  ptrace peer=bwrap//&bwrap-app,

  signal peer=bwrap//&bwrap-app,
  signal (receive) set=(kill),

  @{bin}/**                         rm,
  @{lib}/**                         rm,
  /opt/*/**                         rm,
  /usr/share/*/*                    rm,

  @{bin}/**                         Px -> bwrap//&bwrap-app,
  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
  # @{lib}/**                         Px -> bwrap//&bwrap-app,
  /opt/*/**                         Px -> bwrap//&bwrap-app,
  /usr/share/*/*                    Px -> bwrap//&bwrap-app,

  /usr/.ref rk,

  /bindfile@{rand6} rw,

  owner /var/cache/ w,

  owner @{run}/ld-so-cache-dir/* rw,

  include if exists <usr/bwrap.d>
  include if exists <local/bwrap>
}