# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{etc_ro}/gdm{3,}/Xsession
@{att} = ""
profile gdm-xsession /{,usr/}etc/gdm{3,}/Xsession flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

  @{exec_path} mr,

  @{shells_path}         rix,
  @{bin}/{,e}grep        rix,
  @{bin}/{m,g,}awk       rix,
  @{bin}/cat             rix,
  @{bin}/expr            rix,
  @{bin}/gettext         rix,
  @{bin}/gettext.sh      r,
  @{bin}/gnome-session   rix,
  @{bin}/id              rix,
  @{bin}/locale          rix,
  @{bin}/locale-check    rix,
  @{bin}/mktemp          rix,
  @{bin}/run-parts       rix,
  @{bin}/sed             rix,
  @{bin}/ssh-agent       rix,
  @{bin}/tail            rix,
  @{bin}/tr              rix,
  @{bin}/truncate        rix,
  @{bin}/tty             rix,
  @{bin}/which{,.debianutils}  rix,
  @{bin}/zsh             rix,

  @{bin}/dbus-update-activation-environment    rcx -> dbus,
  @{bin}/dpkg-query                            rpx,
  @{bin}/flatpak                               rpx,
  @{bin}/gpgconf                               rpx,
  @{bin}/gsettings                             rpx,
  @{bin}/im-launch                             rpx,
  @{bin}/systemctl                             rcx -> systemctl,
  @{bin}/xbrlapi                               rpx,
  @{bin}/xhost                                 rpx,
  @{bin}/xrdb                                  rpx,
  @{etc_ro}/X11/xdm/Xsession                   rpx,
  @{lib}/gnome-session-binary                  rpx,

  /usr/share/im-config/data/{,*} r,
  /usr/share/im-config/xinputrc.common r,

  /etc/debuginfod/{,*} r,
  /etc/default/im-config r,
  /etc/X11/{,**} r,

  owner @{tmp}/gdm{3,}-config-err-@{rand6} rw,

  /dev/tty@{int} rw,

  profile dbus flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/bus-session>

    dbus send bus=session path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
         member=SetEnvironment
         peer=(name=org.freedesktop.systemd1),

    @{bin}/dbus-update-activation-environment mr,

    owner @{HOME}/.xsession-errors w,

    /dev/tty rw,
    /dev/tty@{int} rw,

    include if exists <local/gdm-xsession_dbus>
  }

  profile systemctl flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/systemctl>

    owner /dev/tty@{int} rw,

    include if exists <local/gdm-xsession_systemctl>
  }

  include if exists <local/gdm-xsession>
}

# vim:syntax=apparmor
