# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/ksmserver
@{att} = /att/ksmserver/
profile ksmserver /{,usr/}bin/ksmserver  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>

  signal send set=(usr1,term) peer=kscreenlocker_greet,

  ptrace (read) peer=kbuildsycoca5,

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.freedesktop.ScreenSaver{,.*},
  dbus receive bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.ScreenSaver{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.ScreenSaver{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.ScreenSaver{,.*}}"),
  dbus send bus=session path=/org/freedesktop/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.ksmserver{,.*},
  dbus receive bus=session path=/KSMServer
       interface=org.kde.ksmserver{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/KSMServer
       interface=org.kde.ksmserver{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/KSMServer
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/KSMServer
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/KSMServer
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.ksmserver{,.*}}"),
  dbus send bus=session path=/KSMServer
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.KSMServerInterface{,.*},
  dbus receive bus=session path=/KSMServer
       interface=org.kde.KSMServerInterface{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/KSMServer
       interface=org.kde.KSMServerInterface{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/KSMServer
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/KSMServer
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/KSMServer
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.KSMServerInterface{,.*}}"),
  dbus send bus=session path=/KSMServer
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.kde.screensaver{,.*},
  dbus receive bus=session path=/org/kde/screensaver{,/**}
       interface=org.kde.screensaver{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/kde/screensaver{,/**}
       interface=org.kde.screensaver{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/kde/screensaver{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/kde/screensaver{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/kde/screensaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.screensaver{,.*}}"),
  dbus send bus=session path=/org/kde/screensaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  unix type=stream addr=none peer=(label=kglobalacceld, addr=none),

  dbus (send receive) bus=session path=/
       interface=org.kde.KGlobalAccel{,.*}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label=kglobalacceld),
  dbus (send receive) bus=session path=/
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label=kglobalacceld),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label=kglobalacceld),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label=kglobalacceld),
  dbus receive bus=session path=/
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.kde.KGlobalAccel{,.*}}", label=kglobalacceld),
  unix type=stream addr=none peer=(label=kwin_wayland, addr=none),

  dbus (send receive) bus=session path=/Session
       interface=org.kde.KWin.Session{,.*}
       peer=(name="{@{busname},org.kde.KWin.Session{,.*}}", label=kwin_wayland),
  dbus (send receive) bus=session path=/Session
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.kde.KWin.Session{,.*}}", label=kwin_wayland),
  dbus send bus=session path=/Session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.kde.KWin.Session{,.*}}", label=kwin_wayland),
  dbus send bus=session path=/Session
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.kde.KWin.Session{,.*}}", label=kwin_wayland),
  dbus receive bus=session path=/Session
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.kde.KWin.Session{,.*}}", label=kwin_wayland),

  @{exec_path} mr,

  @{bin}/rm            rix,
  @{thunderbird_path}  rpx,

  /{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}DiscoverNotifier Px,
  /{,usr/}lib{,exec,32,64}/DiscoverNotifier Px,
  /{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}drkonqi Px,
  /{,usr/}lib{,exec,32,64}/drkonqi Px,
  /{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}kscreenlocker_greet Px,
  /{,usr/}lib{,exec,32,64}/kscreenlocker_greet Px,

  /usr/share/color-schemes/{,**} r,
  /usr/share/kservices{5,6}/{,**} r,
  /usr/share/kservicetypes{5,6}/{,**} r,

  /etc/xdg/menus/applications-merged/{,*} r,
  /etc/machine-id r,
  /etc/xdg/kscreenlockerrc r,
  /etc/xdg/menus/{,*} r,

  owner @{HOME}/@{rand6} rw,
  owner @{HOME}/.Xauthority rw,

  owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,

  owner @{user_config_dirs}/#@{int} rw,
  owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/ksmserverrc rw,
  owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
  owner @{user_config_dirs}/ksmserverrc.lock rwk,

  owner @{user_share_dirs}/kservices{5,6}/ r,
  owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,

  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int},
  owner @{run}/user/@{uid}/iceauth_@{rand6}-c w,
  owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c,
  owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw,

  owner @{tmp}/@{rand6} rw,

        @{att}@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/user/@{uid}/KSMserver__[0-9] rw,

  /dev/tty r,

  include if exists <local/ksmserver>
}

# vim:syntax=apparmor
