# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself.
# for this use case.

# Note: This profile does not specify an attachment path because it is
# intended to be used only via "px -> glycin" exec transitions from other profiles.

abi <abi/4.0>,

include <tunables/global>

@{att} = /att/glycin/
profile glycin flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/app/bwrap-glycin>

  signal receive set=kill,
  signal send    set=kill peer=*//&glycin,

  ptrace read peer=*//&glycin,

  @{lib}/glycin-loaders/@{d}+/glycin-* cx -> &glycin//loaders,

  #aa:lint ignore=too-wide
  # Safe deny of inherited files from parent process.
  deny network inet dgram,
  deny network inet6 dgram,
  deny network inet stream,
  deny network inet6 stream,
  deny /usr/share/icons/** r,
  deny /usr/share/nvidia/** r,
  deny owner @{HOME}/.*/** rw,
  deny owner /tmp/*/** w,
  deny /opt/*/** rw,
  deny @{sys}/devices/system/** r,
  deny /dev/shm/** rw,
  deny /dev/dri/* rw,

  profile loaders flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/fonts>

    unix type=stream,

    @{lib}/glycin-loaders/@{d}+/glycin-* mr,

    @{att}/usr/share/glycin-loaders/{,**} r,

    @{att}/usr/share/gtksourceview-2.0/{,**} r,
    @{att}/usr/share/gtksourceview-3.0/{,**} r,
    @{att}/usr/share/gtksourceview-4/{,**} r,
    @{att}/usr/share/gtksourceview-5/{,**} r,

    include if exists <local/glycin_loaders>
  }

  include if exists <local/glycin>
}

# vim:syntax=apparmor
