# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/lxqt-panel
@{att} = ""
profile lxqt-panel /{,usr/}bin/lxqt-panel flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/lxqt>
  include <abstractions/nameservice-strict>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  network packet dgram,

  @{exec_path} mr,

  @{bin}/exo-open rix,
  @{lib}/gio-launch-desktop  rix,
  @{bin}/nm-applet rpx,
  @{bin}/nm-connection-editor rpx,
  @{bin}/ControlPanel rpx,

  @{bin}/sudo rcx -> root,

  @{lib}/lxqt-panel/*.so mr, #  LXQT-Plugins
  @{lib}/lxqt-config/*.so mr, # LXQT-Plugins

  /usr/share/desktop-directories/{,**} r,
  /usr/share/lxqt/{,**} r,

  /etc/fstab r,
  /etc/udev/udev.conf r,
  /etc/machine-id r,
  /etc/xdg/lxqt-qtxdg.conf r,
  /etc/xdg/menus/**.menu r,
  /etc/xdg/menus/applications-merged/ r,
  /etc/xdg/ui/uistandards.rc r,

  /var/lib/dbus/machine-id r,

  owner @{HOME}/Desktop/*.desktop rw,
  owner @{HOME}/Desktop/#@{int} rw,
  owner @{HOME}/Desktop/*.desktop l -> @{HOME}/Desktop/#@{int},

  owner @{user_config_dirs}/menus/*.menu rw,
  owner @{user_config_dirs}/menus/applications-merged/ r,
  owner @{user_config_dirs}/share/desktop-directories/*.directory r,
  owner @{user_config_dirs}/share/gvfs-metadata/{,*} r,
  owner @{user_config_dirs}/lxqt/#@{int} rw,
  owner @{user_config_dirs}/lxqt/panel.conf rw,
  owner @{user_config_dirs}/lxqt/panel.conf.lock rwk,
  owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} rw,
  owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int},
  owner @{user_config_dirs}/pulse/{,**} rwk,

  @{run}/udev/data/+*:* r,                # Identifies all subsystems
  @{run}/udev/data/c@{int}:@{int} r,      # Identifies all character devices

  @{sys}/class/i2c-adapter/ r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/net/dev r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/tty rw,
  /dev/tty@{int} rw,
  /dev/pts/@{int} rw,
  /dev/snd/controlC@{int} rw,

  profile root flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/sudo>

    @{bin}/lsblk rpx,

    include if exists <local/lxqt-panel_root>
  }

  include if exists <local/lxqt-panel>
}

# vim:syntax=apparmor
