# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024-2025 Roman Beslik <me@beroal.in.ua>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{att} = ""
profile briar-desktop-tor flags=(complain) {
  include <abstractions/base-strict>

  network inet stream,
  network inet6 stream,
  network netlink raw,

  signal send set=term peer=briar-desktop-tor//lyrebird,
  signal send set=term peer=briar-desktop-tor//obfs4proxy,
  signal send set=term peer=briar-desktop-tor//snowflake,

  owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw,
  owner @{HOME}/.briar/desktop/tor/.tor/lock k,
  owner @{HOME}/.briar/desktop/tor/lyrebird cx -> lyrebird,
  owner @{HOME}/.briar/desktop/tor/obfs4proxy cx -> obfs4proxy,
  owner @{HOME}/.briar/desktop/tor/snowflake cx -> snowflake,
  owner @{HOME}/.briar/desktop/tor/tor r,
  owner @{HOME}/.briar/desktop/tor/torrc r,

  @{PROC}/sys/kernel/random/uuid r,

  include if exists <local/briar-desktop-tor>

  profile lyrebird flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>

    network inet dgram,
    network inet stream,
    network inet6 dgram,
    network inet6 stream,
    network netlink raw,

    signal receive set=term peer=briar-desktop-tor,

    owner @{HOME}/.briar/desktop/tor/lyrebird mr,
    @{PROC}/sys/net/core/somaxconn r,

    include if exists <local/briar-desktop-tor_lyrebird>
  }

  profile obfs4proxy flags=(complain) {
    include <abstractions/base-strict>

    network inet stream,
    network inet6 stream,

    signal receive set=term peer=briar-desktop-tor,

    owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w,
    owner @{HOME}/.briar/desktop/tor/obfs4proxy mr,
    @{PROC}/sys/net/core/somaxconn r,

    include if exists <local/briar-desktop-tor_obfs4proxy>
  }

  profile snowflake flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>

    network inet dgram,
    network inet stream,
    network inet6 dgram,
    network inet6 stream,
    network netlink raw,

    signal receive set=term peer=briar-desktop-tor,

    owner @{HOME}/.briar/desktop/tor/snowflake mr,
    @{PROC}/sys/net/core/somaxconn r,

    include if exists <local/briar-desktop-tor_snowflake>
  }
}

# vim:syntax=apparmor
