# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2024 Besanon  <m231009ts@mailfence.com>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/lxqt-session
@{att} = /att/lxqt-session/
profile lxqt-session /{,usr/}bin/lxqt-session  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/app-launcher-user>
  include <abstractions/dconf>
  include <abstractions/lxqt>
  include <abstractions/qt5-shader-cache>
  include <abstractions/nameservice-strict>

  network netlink raw,

  signal (send),
  signal (receive) set=(kill, term) peer=startlxqt,
  signal (receive) set=(kill, term) peer=sddm,

  ptrace (read),

  @{exec_path} mr,

  @{sh_path}                          rix,
  @{bin}/sed                          rix,
  @{bin}/readlink                     rix,
  @{bin}/dirname                      rix,
  @{bin}/system-config-printer-applet rpx,
  @{bin}/dbus-update-activation-environment rcx -> dbus,
  @{bin}/systemctl                    rcx -> systemctl,

  @{bin}/pavucontrol                  rpx,
  @{lib}/geoclue-2.0/demos/agent      rpx,
  @{bin}/nm-connection-editor         rpx,
  @{bin}/nm-applet                    rpx,
  @{bin}/openbox                      rix,
  @{bin}/dconf-editor                 rpx,
  @{bin}/setxkbmap                    rix,
  @{bin}/start-pulseaudio-x11         rpx,
  @{bin}/xrdb                         rpx,
  @{bin}/xdg-user-dirs-update         rpx,

  /usr/share/                         r,
  /usr/share/cursors/                 r,
  /usr/share/backintime/common/*      r,
  /usr/share/desktop-directories/*    r,
  /usr/share/system-config-printer/*  r,

  /etc/xdg/                           r,
  /etc/xdg/autostart/                 r,
  /etc/xdg/autostart/*.desktop        r,
  /etc/xdg/menus/lxqt-*               r,
  /etc/xdg/openbox/*                  r,
  /etc/udev/udev.conf                 r,

  owner @{user_config_dirs}/autostart/ r,
  owner @{user_config_dirs}/autostart/*.desktop r,
  owner @{user_cache_dirs}/openbox/   rw,
  owner @{user_cache_dirs}/openbox/sessions/          rw,
  owner @{user_cache_dirs}/openbox/openbox.log        rwk,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_config_dirs}/openbox/rc.xml            r,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,

  @{PROC}/                             r,
  @{PROC}/uptime                       r,
  @{PROC}/@{pid}/stat                  r,
  owner @{PROC}/@{pid}/stat            r,

  /dev/tty                             rw,

  profile systemctl flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/systemctl>

    include if exists <local/lxqt-session_systemctl>
  }
  profile dbus flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/bus-session>

    @{bin}/dbus-update-activation-environment mr,

    include if exists <local/lxqt-session_dbus>
  }

  include if exists <local/lxqt-session>
}

# vim:syntax=apparmor
