# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gajim
@{att} = ""
profile gajim /{,usr/}bin/gajim flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/video>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} r,

  @{bin}/           r,
  @{sh_path}        rix,
  @{sbin}/ldconfig  rix,
  @{bin}/uname      rix,

  # To play sounds
  @{bin}/aplay      rix,
  @{bin}/pacat      rix,

  # Needed for GPG/PGP support
  @{bin}/gpg{,2}    rcx -> gpg,
  @{bin}/gpgconf    rcx -> gpg,
  @{bin}/gpgsm      rcx -> gpg,

  @{bin}/ccache                 rcx -> ccache,
  @{bin}/{,@{multiarch}-}ld.bfd rcx -> ccache,

  # External apps
  @{bin}/xdg-settings    rpx,
  @{lib}/firefox/firefox rpx,
  @{bin}/spacefm         rpx,

  /usr/share/gajim/plugins/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

  /etc/fstab r,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  # Gajim home files
  owner @{HOME}/ r,
  owner @{user_config_dirs}/gajim/ rw,
  owner @{user_config_dirs}/gajim/** rwk,
  owner @{user_share_dirs}/gajim/ rw,
  owner @{user_share_dirs}/gajim/** rwk,

  # Cache
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/gajim/ rw,
  owner @{user_cache_dirs}/gajim/** rwk,

  owner @{user_cache_dirs}/farstream/ rw,
  owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/mountinfo r,

  # TMP files locations (first in /tmp/ , /var/tmp/ and @{HOME}/)
    /var/tmp/ r,
        /tmp/ r,
  owner @{tmp}/* rw,

  # Silencer
  deny /usr/share/gajim/** w,
  deny @{lib}/@{python_name}/dist-packages/** w,

  profile ccache flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/consoles>

    @{bin}/ccache mr,

    @{lib}/llvm-[0-9]*/bin/clang      rix,
    @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
    @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
    @{bin}/{,@{multiarch}-}ld.bfd     rix,
    @{lib}/gcc/@{multiarch}/@{int}/collect2 rix,

    /etc/debian_version r,

    /media/ccache/*/** rw,

    owner @{tmp}/cc* rw,
    owner @{tmp}/tmp* rw,

    owner @{run}/user/@{uid}/ccache-tmp/ rw,

    include if exists <local/gajim_ccache>
  }

  profile gpg flags=(complain) {
    include <abstractions/base-strict>

    @{bin}/gpg{,2} mr,
    @{bin}/gpgconf mr,
    @{bin}/gpgsm   mr,

    @{bin}/gpg-agent         rix,
    @{lib}/{,gnupg/}scdaemon rix,

    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

    owner @{user_share_dirs}/gajim/openpgp/ rw,
    owner @{user_share_dirs}/gajim/openpgp/** rwkl -> @{user_share_dirs}/gajim/openpgp/**,

    # "Without owner
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/task/@{tid}/comm rw,

    include if exists <local/gajim_gpg>
  }

  include if exists <local/gajim>
}

# vim:syntax=apparmor
