# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /etc/sddm/Xsession
@{att} = ""
profile sddm-xsession /etc/sddm/Xsession flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/bus-session>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

  @{exec_path} r,

  /{usr/,}{local,}bin/ r,
  @{shells_path}    rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/cat        rix,
  @{bin}/chmod      rix,
  @{bin}/csh        rix,
  @{bin}/date       rix,
  @{bin}/dpkg-query rpx,
  @{bin}/fish       rix,
  @{bin}/gettext    rix,
  @{bin}/gettext.sh r,
  @{bin}/gpgconf    rcx -> gpg,
  @{bin}/id         rix,
  @{bin}/locale     rix,
  @{bin}/locale-check rix,
  @{bin}/mktemp     rix,
  @{bin}/mv         rix,
  @{bin}/rm         rix,
  @{bin}/sed        rix,
  @{bin}/stat       rix,
  @{bin}/tail       rix,
  @{bin}/tcsh       rix,
  @{bin}/tempfile   rix,
  @{bin}/touch      rix,
  @{bin}/tr         rix,
  @{bin}/which{,.debianutils} rix,

  @{bin}/dbus-update-activation-environment  rcx -> dbus,
  @{bin}/flatpak                             rpx,
  @{bin}/numlockx                            rpx,
  @{bin}/xbrlapi                             rpx,
  @{bin}/xhost                               rpx,
  @{bin}/xrdb                                rpx,
  /etc/X11/Xsession                          rpx,
  @{bin}/ssh-agent                           rpx,
  @{bin}/udevadm                             rpx,

  @{bin}/run-parts         rcx -> run-parts,

  # Allowed GUI sessions to start
  #@{bin}/openbox-session  rpx,
  #@{bin}/openbox          rpx,

  @{system_share_dirs}/im-config/data/{,*} r,
  @{system_share_dirs}/im-config/xinputrc.common r,
  @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r,

  /etc/debuginfod/{,**} r,
  /etc/default/{,*} r,
  /etc/X11/{,**} r,

  owner @{HOME}/.xinputrc r,
  owner @{HOME}/.xsession-errors rw,

  owner @{user_share_dirs}/sddm/xorg-session.log w,

  owner @{tmp}/xsess-env-* rw,
  owner @{tmp}/file* rw,
  owner @{tmp}/tmp.@{rand10} rw,

  owner @{PROC}/@{pid}/loginuid r,

  profile run-parts flags=(complain) {
    include <abstractions/base-strict>

    @{bin}/run-parts mr,

    /etc/X11/Xsession.d/ r,
    /etc/X11/Xresources/ r,

    owner @{HOME}/.xsession-errors w,

    include if exists <local/sddm-xsession_run-parts>
  }

  profile dbus flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/bus-session>

    dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=UpdateActivationEnvironment
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
    dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=SetEnvironment
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),

    @{bin}/dbus-update-activation-environment mr,

    owner @{HOME}/.xsession-errors w,

    include if exists <local/sddm-xsession_dbus>
  }

  profile gpg flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>

    capability dac_read_search,

    network inet stream,
    network inet6 stream,
    network inet dgram,
    network inet6 dgram,

    @{bin}/gpg{,2} mr,
    @{bin}/gpgconf mr,
    @{bin}/gpgsm   mr,

    @{bin}/dirmngr           rix,
    @{bin}/gpg-agent         rpx,
    @{bin}/gpg-connect-agent rix,

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/task/@{tid}/comm rw,

    owner @{HOME}/.xsession-errors w,

          /dev/tty@{int} rw,
    owner /dev/pts/@{int} rw,

    deny @{user_share_dirs}/sddm/* rw,

    include if exists <local/sddm-xsession_gpg>
  }

  include if exists <local/sddm-xsession>
}

# vim:syntax=apparmor
