# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/xdg-mime
@{att} = /att/xdg-mime/
profile xdg-mime /{,usr/}bin/xdg-mime  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/attached/consoles>
  include <abstractions/freedesktop.org>

  @{exec_path} r,

  @{sh_path}       rix,
  @{bin}/{,e}grep   ix,
  @{bin}/{m,g,}awk  ix,
  @{bin}/basename   ix,
  @{bin}/cat        ix,
  @{bin}/cut        ix,
  @{bin}/file       ix,
  @{bin}/head       ix,
  @{bin}/mkdir      ix,
  @{bin}/mv         ix,
  @{bin}/readlink   ix,
  @{bin}/realpath   ix,
  @{bin}/rm         ix,
  @{bin}/sed        ix,
  @{bin}/touch      ix,
  @{bin}/tr         ix,
  @{bin}/umask      ix,
  @{bin}/uname      ix,

  # To query DE information
  @{bin}/gio                  ix,
  @{bin}/gnomevfs-info        ix,
  @{bin}/gvfs-info            ix,
  @{bin}/kde{,4}-config       ix,
  @{bin}/kfile                ix,
  @{bin}/kmimetypefinder{,5}  ix,
  @{bin}/ktraderclient{,5}    ix,
  @{bin}/qtpaths              ix,
  @{bin}/qtxdg-mat            ix,

  @{bin}/dbus-send            cx -> bus,
  @{bin}/kbuildsycoca{,5}     px,
  @{bin}/mimetype             px,
  @{bin}/vendor_perl/mimetype px,
  @{bin}/xprop                px,

  owner @{user_config_dirs}/mimeapps.list w,

  owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,

  @{PROC}/version r,

  /dev/tty rw,

  # file_inherit
  deny /opt/*/** r,
  deny owner @{user_config_dirs}/*/** rw,
  deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

  profile bus  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/bus>
    include <abstractions/bus-session>
    include <abstractions/attached/consoles>

    include if exists <local/xdg-mime_bus>
  }

  include if exists <local/xdg-mime>
}

# vim:syntax=apparmor
