# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 odomingao
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gamemoded
@{att} = /att/gamemoded/
profile gamemoded /{,usr/}bin/gamemoded  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>

  capability sys_ptrace,

  ptrace read,

  @{exec_path} mr,

  @{bin}/pkexec cx -> pkexec,
  @{lib}/gamemode/gpuclockctl cx -> pkexec,

  /etc/ r,
  /etc/gamemode.ini r,

  owner @{HOME}/ r,
  owner @{user_config_dirs}/ r,

  @{sys}/devices/@{pci}/vendor r,
  @{sys}/devices/@{pci}/power_dpm_force_performance_level r,
  @{sys}/devices/system/cpu/{,**} r,
  @{sys}/devices/virtual/powercap/{,**} r,

        @{PROC}/sys/kernel/split_lock_mitigate r,
  owner @{PROC}/@{pid}/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/fdinfo/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/task/ r,

  profile pkexec  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/authentication>
    include <abstractions/nameservice-strict>

    capability audit_write,
    capability mknod,
    capability setgid,
    capability sys_ptrace,

    ptrace read peer=gamemoded,

    network netlink raw,

    @{bin}/pkexec mr,

    @{lib}/gamemode/{,**} r,
    @{lib}/gamemode/cpugovctl ix,
    @{lib}/gamemode/gpuclockctl ix,
    @{lib}/gamemode/procsysctl ix,

    @{etc_ro}/security/limits.d/ r,
    @{etc_ro}/security/limits.d/@{int}-gamemode.conf r,
    /etc/shells r,

    @{sys}/devices/@{pci}/power_dpm_force_performance_level rw,
    @{sys}/devices/@{pci}/vendor r,
    @{sys}/devices/system/cpu/ r,
    @{sys}/devices/system/cpu/cpu@{int}/cpufreq r,
    @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,

    @{PROC}/@{pid}/fdinfo/@{int} r,
    @{PROC}/@{pid}/loginuid r,
    @{PROC}/@{pid}/stat r,
    @{PROC}/sys/kernel/split_lock_mitigate rw,

    include if exists <local/gamemoded_pkexec>
  }

  include if exists <local/gamemoded>
}

# vim:syntax=apparmor
