# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

  abi <abi/4.0>,

  # The unix socket to use to connect to the display
  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}),
  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}),
  unix type=stream addr=@/tmp/.ICE-unix/@{int},
  unix type=stream addr=@/tmp/.X11-unix/X@{int},

  /usr/share/X11/{,**} r,
  /usr/share/xsessions/{,*.desktop} r,  # Available Xsessions
  /usr/share/xkeyboard-config-2/{,**} r,

  /etc/X11/cursors/{,**} r,

  owner @{HOME}/.ICEauthority r,  # ICEauthority files required for X authentication, per user
  owner @{HOME}/.Xauthority rw,  # Xauthority files required for X connections, per user
  owner @{HOME}/.xsession-errors rw,

        /tmp/.ICE-unix/@{int} rw,
        /tmp/.X@{int}-lock rw,
        /tmp/.X11-unix/X@{int}{,_} rw,
  owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,  # Xwayland
  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
  owner @{run}/user/@{uid}/ICEauthority r,
  owner @{run}/user/@{uid}/X11/Xauthority r,
  owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},

  include if exists <abstractions/X-strict.d>

# vim:syntax=apparmor
