# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gnome-session
@{att} = /att/gnome-session/
profile gnome-session /{,usr/}bin/gnome-session  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/bus-session>
  include <abstractions/attached/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gschemas>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

  signal receive set=term peer=gdm,
  signal receive set=term peer=gdm-session,

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=@{busname}, label=gnome-shell),

  @{exec_path} mrix,

  @{shells_path}               rix,
  @{bin}/cat                   rix,
  @{bin}/find                  rix,
  @{bin}/gettext               rix,
  @{bin}/gettext.sh              r,
  @{bin}/{,e}grep              rix,
  @{bin}/head                  rix,
  @{bin}/id                    rix,
  @{bin}/locale                rix,
  @{bin}/locale-check          rix,
  @{bin}/manpath               rix,
  @{bin}/readlink              rix,
  @{bin}/realpath              rix,
  @{bin}/run-parts             rix,
  @{bin}/sed                   rix,
  @{bin}/tput                  rix,
  @{bin}/tr                    rix,
  @{bin}/tty                   rix,
  @{bin}/uname                 rix,
  @{bin}/xargs                 rix,

  @{bin}/dpkg-query            rpx,
  @{bin}/flatpak               rcx -> flatpak,
  @{bin}/gsettings             rpx,
  @{lib}/gnome-session-binary  rpx,
  @{lib}/gnome-session-init-worker rpx,

  /usr/share/im-config/{,**} r,
  /usr/share/libdebuginfod-common/debuginfod.sh r,
  /usr/share/xsessions/gnome.desktop r,

  @{etc_ro}/profile.d/{,*} r,
  /etc/debuginfod/{,*} r,
  /etc/default/im-config r,
  /etc/manpath.config r,
  /etc/shells r,
  /etc/sysconfig/console r,
  /etc/sysconfig/displaymanager r,
  /etc/sysconfig/language r,
  /etc/sysconfig/mail r,
  /etc/sysconfig/proxy r,
  /etc/sysconfig/windowmanager r,
  /etc/X11/xinit/xinputrc r,
  /etc/X11/Xsession.d/*im-config_launch r,

  owner @{HOME}/ r,

  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,

  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,

  /dev/tty@{int} rw,

  profile flatpak flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/attached/consoles>

    @{bin}/flatpak mr,

    /dev/tty@{int} rw,

    include if exists <local/gnome-session_flatpak>
  }

  include if exists <local/gnome-session>
}

# vim:syntax=apparmor
