# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/xinit
@{att} = ""
profile xinit /{,usr/}bin/xinit flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/bus-session>
  include <abstractions/nameservice-strict>

  signal (receive) set=(usr1) peer=xorg,

  signal (send) set=(term, kill) peer=xorg,
  signal (send) set=(hup),

  @{exec_path} mr,

  @{bin}/               r,
  @{sh_path}          rix,
  @{bin}/{,e}grep     rix,
  @{bin}/{m,g,}awk    rix,
  @{bin}/cat          rix,
  @{bin}/chmod        rix,
  @{bin}/date         rix,
  @{bin}/head         rix,
  @{bin}/id           rix,
  @{bin}/mktemp       rix,
  @{bin}/rm           rix,
  @{bin}/sed          rix,
  @{bin}/tail         rix,
  @{bin}/tempfile     rix,
  @{bin}/touch        rix,
  @{bin}/which{,.debianutils}  rix,
  /etc/X11/xinit/xinitrc   rix,
  /etc/X11/xinit/xserverrc rix,

  @{bin}/dbus-update-activation-environment rix,

  @{bin}/gpgconf     rpx,
  @{bin}/run-parts   rcx -> run-parts,
  @{bin}/udevadm     rcx -> udevadm,

  @{bin}/flatpak     rpx,
  @{bin}/glxinfo     rpx,
  @{bin}/numlockx    rpx,
  @{bin}/X           rpx,
  @{bin}/xhost       rpx,
  @{bin}/Xorg        rpx,
  @{bin}/xrdb        rpx,

  # Allowed GUI sessions to start
  @{bin}/openbox-session      rpx,
  @{bin}/enlightenment_start rpux,
  @{bin}/sway                rpux,
  @{bin}/ssh-agent            rpx,

  # Allow custom GUI launcher to start
  @{bin}/*           rpux,
  @{lib}/**          rpux,

  /etc/X11/{,**} r,
  /etc/default/{,*} r,

  owner @{HOME}/ r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xserverrc r,
  owner @{HOME}/.xsession-errors w,

  owner @{tmp}/file* rw,
  owner @{tmp}/tmp.* rw,

  /dev/tty rw,

  profile run-parts flags=(complain) {
    include <abstractions/base-strict>

    @{bin}/run-parts mr,

    /etc/X11/Xsession.d/ r,
    /etc/X11/Xresources/ r,

    # file_inherit
    owner /dev/tty@{int} rw,
    owner @{HOME}/.xsession-errors w,

    include if exists <local/xinit_run-parts>
  }

  profile udevadm flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/app/udevadm>

    include if exists <local/xinit_udevadm>
  }

  include if exists <local/xinit>
}

# vim:syntax=apparmor
