# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/openbox
@{att} = ""
profile openbox /{,usr/}bin/openbox flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

  signal (send) set=(term, kill),

  @{exec_path} mr,

  @{lib}/@{multiarch}/openbox-autostart rcx -> autostart,

  # Apps allowed to run
  @{bin}/*                     rpux,
  @{lib}/@{multiarch}/*/**     rpux,
  @{lib}/*                     rpux,
  /usr/local/bin/*             rpux,

  /usr/share/themes/*/openbox-3/themerc r,

  /etc/xdg/openbox/* r,

  owner @{HOME}/ r,
  owner @{user_config_dirs}/openbox/ r,
  owner @{user_config_dirs}/openbox/* r,

  owner @{user_config_dirs}/obmenu-generator/icons/@{hex}.png r,

  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/openbox/ rw,
  owner @{user_cache_dirs}/openbox/openbox.log rw,
  owner @{user_cache_dirs}/openbox/sessions/ rw,

  owner @{HOME}/.Xauthority r,

  owner @{PROC}/@{pid}/fd/ r,

  # file_inherit
  owner /dev/tty@{int} rw,
  owner @{HOME}/.xsession-errors w,


  profile autostart flags=(complain) {
    include <abstractions/base-strict>

    @{lib}/@{multiarch}/openbox-autostart mr,
    @{lib}/@{multiarch}/openbox-xdg-autostart rix,

    @{sh_path}        rix,
    @{bin}/which{,.debianutils}   rix,

    # Apps allowed to run
    @{bin}/*                      rpux,
    /usr/local/bin/*              rpux,
    @{lib}/*                      rpux,
    @{lib}/@{multiarch}/*/**      rpux,

    /usr/local/lib/python*/dist-packages/ r,

    owner @{HOME}/ r,
    owner @{user_config_dirs}/openbox/autostart r,
    owner @{user_config_dirs}/autostart/{,*} r,
    /etc/xdg/openbox/autostart r,
    /etc/xdg/autostart/{,*} r,

    # Silencer
    deny @{lib}/@{python_name}/** w,
    deny owner @{user_lib_dirs}/python*/site-packages/ r,

    # file_inherit
    owner @{HOME}/.xsession-errors w,
    owner /dev/tty@{int} rw,

    include if exists <local/openbox_autostart>
  }

  include if exists <local/openbox>
}

# vim:syntax=apparmor
