# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: domain
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs

# Minimal set of rules for all electron based UI application. It works as a
# *function* and requires some variables to be provided as *arguments* and set
# in the header of the calling profile. Example:
#
# @{name} = spotify
# @{domain} = org.chromium.chromium
# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
# @{config_dirs} = @{user_config_dirs}/@{name}
# @{cache_dirs} = @{user_cache_dirs}/@{name}
#

  abi <abi/4.0>,

  include <abstractions/bus-session>
  include <abstractions/common/chromium>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  @{bin}/electron rix,
  @{bin}/electron@{int} rix,
  @{lib}/electron@{int}/{,**} r,
  @{lib}/electron@{int}/electron  rix,

  @{lib_dirs}/{,**} r,
  @{lib_dirs}/*.so* mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.node mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so.@{int} mr,

  /etc/@{name}/{,**} r,

  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwlk -> @{config_dirs}/**,

  owner @{cache_dirs}/ rw,
  owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**,

  owner @{user_config_dirs}/electron-flags.conf r,

        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.high r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,

        @{PROC}/ r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/status r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/version r,
        @{PROC}/version_signature r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <abstractions/common/electron.d>

# vim:syntax=apparmor
