# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/xdg-desktop-portal-gnome
@{att} = /att/xdg-desktop-portal-gnome/
profile xdg-desktop-portal-gnome /{,usr/}lib{,exec,32,64}/xdg-desktop-portal-gnome  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/accounts-observe>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/bus/session/org.gtk.vfs.Daemon>
  include <abstractions/attached/consoles>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/notifications>
  include <abstractions/user-download-strict>

  network unix stream,

  signal receive set=term peer=gdm,
  signal receive set=(hup term) peer=gdm-session-worker,

  include <abstractions/bus/session/own>

  dbus bind bus=session name=org.freedesktop.impl.portal.desktop.gnome{,.*},
  dbus receive bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.impl.portal.desktop.gnome{,.*}
       peer=(name="@{busname}"),
  dbus send bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.impl.portal.desktop.gnome{,.*}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus (send receive) bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="@{busname}"),
  dbus receive bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.impl.portal.desktop.gnome{,.*}}"),
  dbus send bus=session path=/org/freedesktop/impl/portal/desktop/gnome{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.DBus}"),
  unix type=stream addr=none peer=(label=xdg-desktop-portal, addr=none),

  dbus (send receive) bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.impl.portal{,.*}
       peer=(name="{@{busname},org.freedesktop.impl.portal{,.*}}", label=xdg-desktop-portal),
  dbus (send receive) bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.freedesktop.impl.portal{,.*}}", label=xdg-desktop-portal),
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.freedesktop.impl.portal{,.*}}", label=xdg-desktop-portal),
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.freedesktop.impl.portal{,.*}}", label=xdg-desktop-portal),
  dbus receive bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.freedesktop.impl.portal{,.*}}", label=xdg-desktop-portal),
  unix type=stream addr=none peer=(label=gnome-shell, addr=none),

  dbus (send receive) bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}", label=gnome-shell),
  dbus (send receive) bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}", label=gnome-shell),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.Mutter{,.*}}", label=gnome-shell),
  unix type=stream addr=none peer=(label=gnome-control-center-global-shortcuts-provider, addr=none),

  dbus (send receive) bus=session path=/org/gnome/Settings/GlobalShortcutsProvider{,/**}
       interface=org.gnome.Settings.GlobalShortcutsProvider{,.*}
       peer=(name="{@{busname},org.gnome.Settings.GlobalShortcutsProvider{,.*}}", label=gnome-control-center-global-shortcuts-provider),
  dbus (send receive) bus=session path=/org/gnome/Settings/GlobalShortcutsProvider{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.Settings.GlobalShortcutsProvider{,.*}}", label=gnome-control-center-global-shortcuts-provider),
  dbus send bus=session path=/org/gnome/Settings/GlobalShortcutsProvider{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.Settings.GlobalShortcutsProvider{,.*}}", label=gnome-control-center-global-shortcuts-provider),
  dbus send bus=session path=/org/gnome/Settings/GlobalShortcutsProvider{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Settings.GlobalShortcutsProvider{,.*}}", label=gnome-control-center-global-shortcuts-provider),
  dbus receive bus=session path=/org/gnome/Settings/GlobalShortcutsProvider{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.Settings.GlobalShortcutsProvider{,.*}}", label=gnome-control-center-global-shortcuts-provider),
  unix type=stream addr=none peer=(label=gnome-shell, addr=none),

  dbus (send receive) bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="{@{busname},org.gnome.Shell{,.*}}", label=gnome-shell),
  dbus (send receive) bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.Shell{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.Shell{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Shell{,.*}}", label=gnome-shell),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.Shell{,.*}}", label=gnome-shell),
  unix type=stream addr=none peer=(label=gnome-shell, addr=none),

  dbus (send receive) bus=session path=/org/gnome/Shell/Screenshot{,/**}
       interface=org.gnome.Shell.Screenshot{,.*}
       peer=(name="{@{busname},org.gnome.Shell.Screenshot{,.*}}", label=gnome-shell),
  dbus (send receive) bus=session path=/org/gnome/Shell/Screenshot{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gnome.Shell.Screenshot{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell/Screenshot{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gnome.Shell.Screenshot{,.*}}", label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell/Screenshot{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gnome.Shell.Screenshot{,.*}}", label=gnome-shell),
  dbus receive bus=session path=/org/gnome/Shell/Screenshot{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gnome.Shell.Screenshot{,.*}}", label=gnome-shell),
  unix type=stream addr=none peer=(label="gvfs-*-volume-monitor", addr=none),

  dbus (send receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor{,/**}
       interface=org.gtk.Private.RemoteVolumeMonitor{,.*}
       peer=(name="{@{busname},org.gtk.Private.RemoteVolumeMonitor{,.*}}", label="gvfs-*-volume-monitor"),
  dbus (send receive) bus=session path=/org/gtk/Private/RemoteVolumeMonitor{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Set,PropertiesChanged}
       peer=(name="{@{busname},org.gtk.Private.RemoteVolumeMonitor{,.*}}", label="gvfs-*-volume-monitor"),
  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name="{@{busname},org.gtk.Private.RemoteVolumeMonitor{,.*}}", label="gvfs-*-volume-monitor"),
  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
       peer=(name="{@{busname},org.gtk.Private.RemoteVolumeMonitor{,.*}}", label="gvfs-*-volume-monitor"),
  dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       member={InterfacesAdded,InterfacesRemoved}
       peer=(name="{@{busname},org.gtk.Private.RemoteVolumeMonitor{,.*}}", label="gvfs-*-volume-monitor"),

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.impl.portal.Background
       member=RunningApplicationsChanged
       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),

  dbus send bus=session path=/org/gnome/Shell
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=@{busname}, label=gnome-shell),
  dbus receive bus=session path=/org/gnome/Shell
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(name=@{busname}, label=gnome-shell),

  @{exec_path} mr,

  / r,
  @{bin}/ r,
  @{bin}/* r,
  /opt/** r,

  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/thumbnailers/{,**} r,

  owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
  owner @{desktop_share_dirs}/applications/{,**} r,

  owner @{HOME}/ r,
  owner @{HOME}/* r,
  owner @{HOME}/*/{,**} rw,
  owner @{MOUNTS}/ r,

  owner @{tmp}/.goutputstream-@{rand6} rw,
  owner @{tmp}/@{rand6} rw,
  owner @{tmp}/gtkprint_ppd_@{rand6} rw,
  owner @{tmp}/gtkprint@{rand6} r,
  owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw,

  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

  @{run}/mount/utab r,

  @{sys}/devices/**/uevent r,

  owner @{PROC}/@{pid}/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

  include if exists <local/xdg-desktop-portal-gnome>
}

# vim:syntax=apparmor
