# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# See <abstractions/fontconfig-cache> for documentation.

  abi <abi/4.0>,

  include <abstractions/fontconfig-cache>

       owner @{gdm_cache_dirs}/fontconfig/ r,
       owner @{gdm_cache_dirs}/fontconfig/@{hex32}.cache-?{,.NEW,.LCK,.TMP-*} r,
       owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
  deny       @{gdm_cache_dirs}/fontconfig/ w,
  deny       @{gdm_cache_dirs}/fontconfig/** w,

       owner @{user_cache_dirs}/fontconfig/ r,
  deny       @{user_cache_dirs}/fontconfig/ w,
  deny       @{user_cache_dirs}/fontconfig/** w,
       owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
       owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,

       owner @{HOME}/.fontconfig/ r,
  deny       @{HOME}/.fontconfig/ w,
  deny       @{HOME}/.fontconfig/** w,
       owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
       owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,

       /var/cache/fontconfig/ r,
  deny /var/cache/fontconfig/ w,
  deny /var/cache/fontconfig/** w,
       /var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
       /var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,

  #owner @{HOME}/.fonts/ r,
  deny  @{HOME}/.fonts/ w,
  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  r,
  deny  @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  w,

  # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
  # identify the font directory and is used to determine the cache filename if available.
  #    owner /usr/local/share/fonts/ r,
       owner /usr/local/share/fonts/.uuid r,
  deny       /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
             /usr/share/**/.uuid  r,
  deny       /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  w,

  # For fonts downloaded via font-manager
  #    owner "@{user_share_dirs}/fonts/ r,
       owner "@{user_share_dirs}/fonts/**/.uuid" r,
  deny       "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,

  include if exists <abstractions/fontconfig-cache-read.d>

# vim:syntax=apparmor
