# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# TODO: some gnome extension run from this profile. It would be better to have a way to separate them.

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gnome-shell
@{att} = /att/gnome-shell/
profile gnome-shell /{,usr/}bin/gnome-shell  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/com.canonical.dbusmenu>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/system/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.PackageKit>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/system/org.freedesktop.systemd1>
  include <abstractions/bus/org.gnome.keyring.internal.Prompter>
  include <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/system/org.bluez>
  include <abstractions/bus/system/org.freedesktop.locale1>
  include <abstractions/camera>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/ibus-strict>
  include <abstractions/localization>
  include <abstractions/media-control>
  include <abstractions/nameservice-strict>
  include <abstractions/notifications>
  include <abstractions/p11-kit>
  include <abstractions/secrets-service>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/upower-observe>

  capability sys_nice,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,

  ptrace read,

  signal receive set=(term, hup) peer=gdm*,
  signal send,

  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),

  # Owned by gnome-shell

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gnome.keyring.SystemPrompter{,.*},
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.keyring.SystemPrompter{,.*}}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gnome.Mutter{,.*},
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gnome.Shell{,.*},
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Shell{,.*}}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  include <abstractions/bus/session/own>

  dbus bind bus=session name=com.canonical.{U,u}nity{,.*},
  dbus receive bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=com.canonical.{U,u}nity{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=com.canonical.{U,u}nity{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.canonical.{U,u}nity{,.*}}"),
  dbus send bus=session path=/com/canonical/{U,u}nity{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=com.canonical.dbusmenu{,.*},
  dbus receive bus=session path=/{,com/canonical/dbusmenu}
       interface=com.canonical.dbusmenu{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/{,com/canonical/dbusmenu}
       interface=com.canonical.dbusmenu{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/{,com/canonical/dbusmenu}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/{,com/canonical/dbusmenu}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/{,com/canonical/dbusmenu}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.canonical.dbusmenu{,.*}}"),
  dbus send bus=session path=/{,com/canonical/dbusmenu}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=com.canonical.Shell.PermissionPrompting{,.*},
  dbus receive bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=com.canonical.Shell.PermissionPrompting{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=com.canonical.Shell.PermissionPrompting{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.canonical.Shell.PermissionPrompting{,.*}}"),
  dbus send bus=session path=/com/canonical/Shell/PermissionPrompting{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=com.rastersoft.dingextension{,.*},
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.rastersoft.dingextension{,.*}}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.ayatana.NotificationItem{,.*},
  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.ayatana.NotificationItem{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.ayatana.NotificationItem{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}"),
  dbus send bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.freedesktop.a11y.Manager{,.*},
  dbus receive bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.a11y.Manager{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.a11y.Manager{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.a11y.Manager{,.*}}"),
  dbus send bus=session path=/org/freedesktop/a11y/Manager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gnome.Shell{,.*},
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Shell{,.*}}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gtk.Actions{,.*},
  dbus receive bus=session path=/**
       interface=org.gtk.Actions{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/**
       interface=org.gtk.Actions{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/**
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/**
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/**
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.Actions{,.*}}"),
  dbus send bus=session path=/**
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gtk.MountOperationHandler{,.*},
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.MountOperationHandler{,.*}}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.gtk.Notifications{,.*},
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.Notifications{,.*}}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.StatusNotifierItem{,.*},
  dbus receive bus=session path=/
       interface=org.kde.StatusNotifierItem{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/
       interface=org.kde.StatusNotifierItem{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.StatusNotifierItem{,.*}}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.StatusNotifierWatcher{,.*},
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.StatusNotifierWatcher{,.*}}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  # owning not strictly needed, but it simplifies things
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.mpris.MediaPlayer2{,.*},
  dbus receive bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.mpris.MediaPlayer2{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.mpris.MediaPlayer2{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.mpris.MediaPlayer2{,.*}}"),
  dbus send bus=session path=/org/mpris/MediaPlayer2{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  # Talk with gnome-shell

  # The strategy with dbus rules in this profile is first to declare all communications
  # needed on buses and to limit them only to their profiles in apparmor.d. As such,
  # only dbus directive is used for this. Later, some communications could be
  # restricted.

  unix type=stream addr=none peer=(label="@{p_accounts_daemon}", addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**}
       interface=org.freedesktop.Accounts{,.*}
       peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label="@{p_accounts_daemon}"),
  dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label="@{p_accounts_daemon}"),
  dbus send bus=system path=/org/freedesktop/Accounts{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label="@{p_accounts_daemon}"),
  dbus send bus=system path=/org/freedesktop/Accounts{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label="@{p_accounts_daemon}"),
  dbus receive bus=system path=/org/freedesktop/Accounts{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label="@{p_accounts_daemon}"),
  unix type=stream addr=none peer=(label=boltd, addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.bolt{,.*}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus (send receive) bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus send bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus send bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  dbus receive bus=system path=/org/freedesktop/bolt{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.bolt{,.*}}", label=boltd),
  unix type=stream addr=none peer=(label="@{p_colord}", addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.ColorManager{,.*}
       peer=(name="{@{busname},org.freedesktop.ColorManager{,.*}}", label="@{p_colord}"),
  dbus (send receive) bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.ColorManager{,.*}}", label="@{p_colord}"),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.ColorManager{,.*}}", label="@{p_colord}"),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.ColorManager{,.*}}", label="@{p_colord}"),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.ColorManager{,.*}}", label="@{p_colord}"),
  unix type=stream addr=none peer=(label=geoclue, addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/GeoClue2{,/**}
       interface=org.freedesktop.GeoClue2{,.*}
       peer=(name="{@{busname},org.freedesktop.GeoClue2{,.*}}", label=geoclue),
  dbus (send receive) bus=system path=/org/freedesktop/GeoClue2{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.GeoClue2{,.*}}", label=geoclue),
  dbus send bus=system path=/org/freedesktop/GeoClue2{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.GeoClue2{,.*}}", label=geoclue),
  dbus send bus=system path=/org/freedesktop/GeoClue2{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.GeoClue2{,.*}}", label=geoclue),
  dbus receive bus=system path=/org/freedesktop/GeoClue2{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.GeoClue2{,.*}}", label=geoclue),
  unix type=stream addr=none peer=(label="@{p_systemd_logind}", addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.login1{,.*}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
  dbus (send receive) bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
  dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
  dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
  dbus receive bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.login1{,.*}}", label="@{p_systemd_logind}"),
  unix type=stream addr=none peer=(label=NetworkManager, addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.NetworkManager{,.*}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus (send receive) bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.NetworkManager{,.*}}", label=NetworkManager),
  unix type=stream addr=none peer=(label="@{p_polkitd}", addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/PolicyKit1{,/**}
       interface=org.freedesktop.PolicyKit1{,.*}
       peer=(name="{@{busname},org.freedesktop.PolicyKit1{,.*}}", label="@{p_polkitd}"),
  dbus (send receive) bus=system path=/org/freedesktop/PolicyKit1{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.PolicyKit1{,.*}}", label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/PolicyKit1{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.PolicyKit1{,.*}}", label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/PolicyKit1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.PolicyKit1{,.*}}", label="@{p_polkitd}"),
  dbus receive bus=system path=/org/freedesktop/PolicyKit1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.PolicyKit1{,.*}}", label="@{p_polkitd}"),
  unix type=stream addr=none peer=(label="@{p_power_profiles_daemon}", addr=none),

  dbus (send receive) bus=system path=/org/freedesktop/UPower/PowerProfiles{,/**}
       interface=org.freedesktop.UPower.PowerProfiles{,.*}
       peer=(name="{@{busname},org.freedesktop.UPower.PowerProfiles{,.*}}", label="@{p_power_profiles_daemon}"),
  dbus (send receive) bus=system path=/org/freedesktop/UPower/PowerProfiles{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.UPower.PowerProfiles{,.*}}", label="@{p_power_profiles_daemon}"),
  dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.UPower.PowerProfiles{,.*}}", label="@{p_power_profiles_daemon}"),
  dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.UPower.PowerProfiles{,.*}}", label="@{p_power_profiles_daemon}"),
  dbus receive bus=system path=/org/freedesktop/UPower/PowerProfiles{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.UPower.PowerProfiles{,.*}}", label="@{p_power_profiles_daemon}"),
  unix type=stream addr=none peer=(label=gdm, addr=none),

  dbus (send receive) bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.gnome.DisplayManager{,.*}
       peer=(name="{@{busname},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus (send receive) bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.DisplayManager{,.*}}", label=gdm),

  unix type=stream addr=none peer=(label=gnome-extension-ding, addr=none),

  dbus (send receive) bus=session path=/com/rastersoft/ding{,/**}
       interface=com.rastersoft.ding{,.*}
       peer=(name="{@{busname},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus (send receive) bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  unix type=stream addr=none peer=(label=gjs, addr=none),

  dbus (send receive) bus=session path=/org/freedesktop/Notifications{,/**}
       interface=org.freedesktop.Notifications{,.*}
       peer=(name="{@{busname},org.freedesktop.Notifications{,.*}}", label=gjs),
  dbus (send receive) bus=session path=/org/freedesktop/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.Notifications{,.*}}", label=gjs),
  dbus send bus=session path=/org/freedesktop/Notifications{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.Notifications{,.*}}", label=gjs),
  dbus send bus=session path=/org/freedesktop/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.Notifications{,.*}}", label=gjs),
  dbus receive bus=session path=/org/freedesktop/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.Notifications{,.*}}", label=gjs),
  unix type=stream addr=none peer=(label=gsd-screensaver-proxy, addr=none),

  dbus (send receive) bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.ScreenSaver{,.*}
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}", label=gsd-screensaver-proxy),
  dbus (send receive) bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}", label=gsd-screensaver-proxy),
  dbus send bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}", label=gsd-screensaver-proxy),
  dbus send bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}", label=gsd-screensaver-proxy),
  dbus receive bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}", label=gsd-screensaver-proxy),
  unix type=stream addr=none peer=(label=gnome-*, addr=none),

  dbus (send receive) bus=session path=/org/gnome/*{,/**}
       interface=org.gnome.*{,.*}
       peer=(name="{@{busname},org.gnome.*{,.*}}", label=gnome-*),
  dbus (send receive) bus=session path=/org/gnome/*{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.*{,.*}}", label=gnome-*),
  dbus send bus=session path=/org/gnome/*{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.*{,.*}}", label=gnome-*),
  dbus send bus=session path=/org/gnome/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.*{,.*}}", label=gnome-*),
  dbus receive bus=session path=/org/gnome/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.*{,.*}}", label=gnome-*),
  unix type=stream addr=none peer=(label=*, addr=none),

  dbus (send receive) bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.gnome.*.SearchProvider{,.*}
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  dbus (send receive) bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.gnome.Shell.SearchProvider2
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  dbus (send receive) bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  dbus send bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  dbus send bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  dbus receive bus=session path=/org/gnome/*/SearchProvider{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.*.SearchProvider{,.*}}", label=*),
  unix type=stream addr=none peer=(label=nautilus, addr=none),

  dbus (send receive) bus=session path=/org/gnome/Nautilus{,/**}
       interface=org.gnome.Nautilus{,.*}
       peer=(name="{@{busname},org.gnome.Nautilus{,.*}}", label=nautilus),
  dbus (send receive) bus=session path=/org/gnome/Nautilus{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.Nautilus{,.*}}", label=nautilus),
  dbus send bus=session path=/org/gnome/Nautilus{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.Nautilus{,.*}}", label=nautilus),
  dbus send bus=session path=/org/gnome/Nautilus{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Nautilus{,.*}}", label=nautilus),
  dbus receive bus=session path=/org/gnome/Nautilus{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.Nautilus{,.*}}", label=nautilus),
  unix type=stream addr=none peer=(label=gjs, addr=none),

  dbus (send receive) bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.gnome.ScreenSaver{,.*}
       peer=(name="{@{busname},org.gnome.ScreenSaver{,.*}}", label=gjs),
  dbus (send receive) bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.ScreenSaver{,.*}}", label=gjs),
  dbus send bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.ScreenSaver{,.*}}", label=gjs),
  dbus send bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.ScreenSaver{,.*}}", label=gjs),
  dbus receive bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.ScreenSaver{,.*}}", label=gjs),
  unix type=stream addr=none peer=(label=gsd-*, addr=none),

  dbus (send receive) bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.gnome.SettingsDaemon.*{,.*}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus (send receive) bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  unix type=stream addr=none peer=(label="gvfsd{,-*}", addr=none),

  dbus (send receive) bus=session path=/org/gtk/vfs{,/**}
       interface=org.gtk.vfs{,.*}
       peer=(name="{@{busname},org.gtk.vfs{,.*}}", label="gvfsd{,-*}"),
  dbus (send receive) bus=session path=/org/gtk/vfs{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gtk.vfs{,.*}}", label="gvfsd{,-*}"),
  dbus send bus=session path=/org/gtk/vfs{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gtk.vfs{,.*}}", label="gvfsd{,-*}"),
  dbus send bus=session path=/org/gtk/vfs{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.vfs{,.*}}", label="gvfsd{,-*}"),
  dbus receive bus=session path=/org/gtk/vfs{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gtk.vfs{,.*}}", label="gvfsd{,-*}"),

  # Session bus

  dbus send bus=session path=/org/gnome/**
       peer=(name=org.gnome.*),

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
       peer=(name=org.a11y.atspi.Registry),

  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=@{busname}, label="@{p_systemd_user}"),

  # FIXME: I think gnome-shell is the owner of the notifications, it should then be
  # fully allowed to send/receive to/from anyone.
  # FIXME: same for dbusmenu; icon things
  dbus send bus=session path=/StatusNotifierItem
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=@{busname}),

  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=@{busname}),

  dbus receive bus=session
       interface=org.gtk.Menus
       member=Changed
       peer=(name=@{busname}),
  dbus send bus=session
       interface=org.gtk.Menus
       member=Start
       peer=(name=@{busname}),

  # Needed as a dbus server to administrate the mpris interface
  include <abstractions/bus/accessibility/own>
  dbus send bus=system path=/{,org/freedesktop/DBus}
       interface=org.freedesktop.DBus
       member={ListNames,RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system path=/{,org/freedesktop/DBus}
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=session path=/{,org/freedesktop/DBus}
       interface=org.freedesktop.DBus
       member={ListNames,RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/{,org/freedesktop/DBus}
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  dbus receive bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
       member=InterfacesAdded
       peer=(name=@{busname}, label=NetworkManager),


  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=@{busname}),
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

  @{exec_path} mr,

  @{bin}/unzip                  rix,

  @{bin}/flatpak                rpx,
  @{bin}/gjs-console            rpx -> gnome-extension,
  @{bin}/glib-compile-schemas   rpx,
  @{bin}/ibus-daemon            rpx,
  @{bin}/nvidia-smi             rpx, # FIXME: for extension only
  @{bin}/sensors                rpx,
  @{bin}/tecla                  rpx,
  @{bin}/Xwayland               rpx,
  @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rpx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rpx,
  @{lib}/mutter-x11-frames      rpx,
  /{,usr/}lib{,exec,32,64}/polkit-[0-9]/polkit-agent-helper-[0-9] Px,
  /{,usr/}lib{,exec,32,64}/polkit-agent-helper-[0-9] Px,

  @{sh_path}                                              rcx -> shell,
  @{bin}/pkexec                                           rcx -> pkexec,
  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rcx -> open,
  @{lib}/gio-launch-desktop                               rcx -> open,
  @{python_path}                                          rcx -> python,

  @{user_share_dirs}/gnome-shell/extensions/*/**       rpux,
  /usr/share/gnome-shell/extensions/*/**               rpux,

  /snap/*/@{uid}/**.@{icon_ext} r,
  /usr/share/**.@{icon_ext} r,
  /usr/share/**/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
  /usr/share/desktop-directories/{,*.directory} r,
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput*/{,**} r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,
  @{system_share_dirs}/gnome-shell/{,**} r,

  /etc/fstab r,
  /etc/timezone r,
  /etc/tpm2-tss/*.json r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/AccountsService/icons/* r,

  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/appstream/**/icons/** r,

  owner @{att}/ r,
  owner @{att}/.flatpak-info r,

  owner @{gdm_cache_dirs}/ w,
  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
  owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
  owner @{gdm_cache_dirs}/glycin/{,**} rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{gdm_cache_dirs}/libgweather/ r,
  owner @{gdm_cache_dirs}/nvidia/GLCache/ rw,
  owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
  owner @{gdm_local_dirs}/ w,
  owner @{gdm_share_dirs}/ w,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
  owner @{gdm_share_dirs}/icc/ rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.mozilla/native-messaging-hosts/ rw,
  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw,
  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
  owner @{HOME}/.var/app/**.@{icon_ext} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,

  owner @{user_games_dirs}/**.@{image_ext} r,
  owner @{user_music_dirs}/**.@{image_ext} r,

  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/**/NativeMessagingHosts/ rw,
  owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw,
  owner @{user_config_dirs}/background r,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/tiling-assistant/{,**} rw,

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/dbus-1/services/ r,
  owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
  owner @{user_cache_dirs}/gsconnect/@{hex} r,
  owner @{user_cache_dirs}/libgweather/{,**} rw,
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,
  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,

        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
  owner @{run}/user/@{uid}/app/*/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r,
  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner @{tmp}/.org.chromium.Chromium.@{rand6} r,
  owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r,
  owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r,
  owner @{tmp}/@{rand6}.shell-extension.zip rw,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,

  @{run}/udev/tags/seat/ r,

  @{run}/udev/data/+acpi:* r,             # Exposes ACPI objects (power buttons, batteries, thermal)
  @{run}/udev/data/+dmi:id r,             # for motherboard info
  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
  @{run}/udev/data/+hid:* r,              # For Human Interface Device (mice, controllers, drawing tablets, scanners)
  @{run}/udev/data/+i2c:* r,              # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.)
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+platform:* r,         # Identifies onboard devices (laptop/board model, power controllers, thermal sensors)
  @{run}/udev/data/+sound:card@{int} r,   # for sound card
  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
  @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
  @{run}/udev/data/n@{int} r,             # For network interfaces

  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/backlight/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/gpu_busy_percent r,
  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
  @{sys}/devices/@{pci}/mem_info_vram_* r,
  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/leds/ r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,

  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

        /dev/tty@{int} rw,
  @{att}/dev/dri/card@{int} rw,
  @{att}/dev/input/event@{int} rw,

  profile shell  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
    include <abstractions/attached/base>

    capability sys_ptrace,

    ptrace read,

    @{sh_path} mr,

    @{bin}/cat   rix,
    @{bin}/{,e}grep  rix,
    @{bin}/kmod  rpx -> gnome-shell//lsmod,
    @{bin}/pmap  rix,

    @{sys}/devices/system/node/ r,

          @{PROC}/uptime r,
    owner @{PROC}/@{pid}/cmdline r,
    owner @{PROC}/@{pid}/stat r,

    /dev/tty rw,

    include if exists <local/gnome-shell_shell>
  }

  profile lsmod  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
    include <abstractions/attached/base>
    include <abstractions/app/kmod>

    @{sys}/module/{,**} r,

    include if exists <local/gnome-shell_lsmod>
  }

  profile pkexec flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
    include <abstractions/attached/base>
    include <abstractions/app/pkexec>

    ptrace read peer=gnome-shell,

    @{bin}/pkexec mr,

    /usr/local/bin/batteryhealthchargingctl{,-@{user}} rpx,
    @{bin}/batteryhealthchargingctl{,-@{user}} rpx,

    include if exists <local/gnome-shell_pkexec>
  }

  profile python flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
    include <abstractions/attached/base>
    include <abstractions/python>

    # /usr/share/gnome-shell/extensions/{,**}

    include if exists <local/gnome-shell_python>
  }

  profile open  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
    include <abstractions/attached/base>
    include <abstractions/mesa>

    network inet stream,
    network unix stream,

    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  mr,
    @{lib}/gio-launch-desktop                               mr,

    @{lib}/**                     pux,
    @{bin}/**                     pux,
    /opt/*/**                     pux,
    /usr/share/*/**               pux,
    /usr/local/bin/**             pux,
    /usr/games/**                 pux,

    owner @{user_share_dirs}/gnome-shell/session.gvdb rw,

    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/gnome-shell_open>
  }

  include if exists <local/gnome-shell>
}

# vim:syntax=apparmor
