# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/libreoffice @{bin}/soffice
@{exec_path} += @{lib}/libreoffice/program/soffice
@{att} = /att/libreoffice/
profile libreoffice /{{,usr/}bin/libreoffice,{,usr/}bin/soffice,{,usr/}lib{,exec,32,64}/libreoffice/program/soffice,{,usr/}lib{,exec,32,64}/libreoffice/program/soffice}  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/audio-client>
  include <abstractions/avahi-observe>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/session/org.gtk.vfs.Daemon>
  include <abstractions/cups-client>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/java>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-settings-write>
  include <abstractions/screen-inhibit>
  include <abstractions/session-manager>
  include <abstractions/ssl_certs>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.libreoffice{,.*},
  dbus receive bus=session path=/org/libreoffice{,/**}
       interface=org.libreoffice{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/libreoffice{,/**}
       interface=org.libreoffice{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/libreoffice{,/**}
       interface=org.gtk.Actions
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/libreoffice{,/**}
       interface=org.gtk.Actions
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/libreoffice{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/libreoffice{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/libreoffice{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.libreoffice{,.*}}"),
  dbus send bus=session path=/org/libreoffice{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),

  dbus send bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=@{busname}, label=systemd-hostnamed),

  @{exec_path} mr,

  @{sh_path}        rix,
  @{bin}/basename   rix,
  @{bin}/dirname    rix,
  @{bin}/{,e}grep   rix,
  @{bin}/ls         rix,
  @{bin}/paperconf  rix,
  @{bin}/sed        rix,
  @{bin}/uname      rix,

  @{open_path}      rpx -> child-open-browsers,

  @{bin}/gpg        rpx,
  @{bin}/gpgconf    rpx,
  @{bin}/gpgsm      rpx,

  @{lib}/jvm/java*/bin/java               rix,
  @{lib}/jvm/java*/lib/** rm,
  @{lib}/libreoffice/program/javaldx      rix,
  @{lib}/libreoffice/program/oosplash     rix,
  @{lib}/libreoffice/program/soffice.bin  rix,
  @{lib}/libreoffice/program/xpdfimport   rix,

  @{lib}/libreoffice/{,**} rm,
  @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
  @{lib}/libreoffice/program/{,**/}__pycache__/ w,
  @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w,

  /usr/share/hyphen/{,**} r,
  /usr/share/libexttextcat/{,**} r,
  /usr/share/liblangtag/{,**} r,
  /usr/share/libreoffice/{,**} r,
  /usr/share/mythes/{,**} r,
  /usr/share/thumbnailers/{,**} r,

  /etc/cups/ppd/*.ppd r,
  /etc/java{,-}{,@{version}}-openjdk/{,**} r,
  /etc/libreoffice/{,**} r,
  /etc/papersize r,
  /etc/paperspecs r,
  /etc/xdg/* r,

        /var/tmp/ r,
  owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w,

  owner @{user_cache_dirs}/libreoffice/{,**} rw,

  owner @{user_config_dirs}/kservicemenurc r,
  owner @{user_config_dirs}/libreoffice/ rw,
  owner @{user_config_dirs}/libreoffice/** rwk,
  owner @{user_config_dirs}/plasma_workspace.notifyrc r,
  owner @{user_config_dirs}/soffice.*.lock rwk,
  owner @{user_config_dirs}/soffice.binrc r,

  owner @{user_share_dirs}/#@{int} rw,
  owner @{user_share_dirs}/user-places.xbel r,

        @{tmp}/ r,
  owner @{tmp}/.java_pid@{int}{,.tmp} rw,
  owner @{tmp}/@{hex} rw,
  owner @{tmp}/@{rand6} rwk,
  owner @{tmp}/@{u64} rw,
  owner @{tmp}/*.tmp/{,**} rwk,
  owner @{tmp}/hsperfdata_@{user}/  rw,
  owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw,

  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

        @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
        @{sys}/devices/virtual/block/**/queue/rotational r,
        @{sys}/kernel/mm/hugepages/ r,
        @{sys}/kernel/mm/transparent_hugepage/enabled r,
        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,

        @{PROC}/cgroups r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/coredump_filter rw,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/tty rw,

  deny owner @{HOME}/.thunderbird/** rwk,
  deny owner @{HOME}/.mozilla/** rwk,

  include if exists <local/libreoffice>
}

# vim:syntax=apparmor
