# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{name} = spotify
@{domain} = org.chromium.Chromium
@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
@{config_dirs} = @{user_config_dirs}/@{name}
@{cache_dirs} = @{user_cache_dirs}/@{name}

@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
@{att} = /att/spotify/
profile spotify /{{,usr/}bin/spotify,opt/spotify/spotify,usr/share/spotify/spotify}  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/audio-client>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/bus/session/org.freedesktop.systemd1>
  include <abstractions/bus/system/org.bluez>
  include <abstractions/common/electron>
  include <abstractions/devices-usb-read>
  include <abstractions/ibus-strict>
  include <abstractions/mediakeys>
  include <abstractions/mpris>
  include <abstractions/notifications>
  include <abstractions/screensaver>
  include <abstractions/secrets-service>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  unix type=stream addr=none peer=(label=gnome-shell, addr=none),

  dbus (send receive) bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.ayatana.NotificationItem{,.*}
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}", label=gnome-shell),
  dbus (send receive) bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}", label=gnome-shell),
  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.ayatana.NotificationItem{,.*}}", label=gnome-shell),
  unix type=stream addr=none peer=(label=xdg-desktop-portal, addr=none),

  dbus (send receive) bus=session path=/org/freedesktop/portal/{d,D}esktop{,/**}
       interface=org.freedesktop.portal.{d,D}esktop{,.*}
       peer=(name="{@{busname},org.freedesktop.portal.{d,D}esktop{,.*}}", label=xdg-desktop-portal),
  dbus (send receive) bus=session path=/org/freedesktop/portal/{d,D}esktop{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.portal.{d,D}esktop{,.*}}", label=xdg-desktop-portal),
  dbus send bus=session path=/org/freedesktop/portal/{d,D}esktop{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.portal.{d,D}esktop{,.*}}", label=xdg-desktop-portal),
  dbus send bus=session path=/org/freedesktop/portal/{d,D}esktop{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.portal.{d,D}esktop{,.*}}", label=xdg-desktop-portal),
  dbus receive bus=session path=/org/freedesktop/portal/{d,D}esktop{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.portal.{d,D}esktop{,.*}}", label=xdg-desktop-portal),
  unix type=stream addr=none peer=(label=gsd-media-keys, addr=none),

  dbus (send receive) bus=session path=/org/gnome/SettingsDaemon/MediaKeys{,/**}
       interface=org.gnome.SettingsDaemon.MediaKeys{,.*}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys{,.*}}", label=gsd-media-keys),
  dbus (send receive) bus=session path=/org/gnome/SettingsDaemon/MediaKeys{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys{,.*}}", label=gsd-media-keys),
  dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys{,.*}}", label=gsd-media-keys),
  dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys{,.*}}", label=gsd-media-keys),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/MediaKeys{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys{,.*}}", label=gsd-media-keys),

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Secret
       member=RetrieveSecret
       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),

  @{exec_path} mrix,

  @{sh_path} mr,
  @{bin}/{,e}grep rix,

  @{open_path}     rpx -> child-open-strict,

  /usr/local/lib/spotify-adblock.so mr,

  /etc/machine-id r,
  /etc/spotify-adblock/* r,
  /var/lib/dbus/machine-id r,

  owner @{HOME}/.tmp rw,

  owner @{user_music_dirs}/{,**} r,

  owner @{user_config_dirs}/spotify-adblock/* r,

  owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
  owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,

  owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,

        @{PROC}/@{pid}/net/unix r,
        @{PROC}/pressure/* r,
  owner @{PROC}/@{pid}/clear_refs w,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/tty rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <local/spotify>
}

# vim:syntax=apparmor
