# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gnome-shell
profile gnome-shell /{,usr/}{,s}bin/gnome-shell  flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.Metadata>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/video>

  capability sys_nice,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,

  ptrace (read),
  ptrace (readby) peer=pipewire,

  signal (receive) set=(term, hup) peer=gdm*,
  signal (send),

  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),
  unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

  # Owned by gnome-shell

  dbus bind bus=session name=org.gnome.keyring.SystemPrompter{,.*},
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gnome.Mutter{,.*},
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gnome.Shell{,.*},
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  dbus bind bus=session name=com.canonical.Unity{,.*},
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=com.canonical.Unity{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=com.canonical.Unity{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=com.rastersoft.dingextension{,.*},
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.gtk.Actions
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.gtk.Actions
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gtk.MountOperationHandler{,.*},
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gtk.Notifications{,.*},
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.kde.StatusNotifierWatcher{,.*},
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  # Talk with gnome-shell

  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.ColorManager{,.*}
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.ColorManager{,.*}
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.gnome.DisplayManager{,.*}
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.gnome.DisplayManager{,.*}
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),

  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=com.rastersoft.ding{,.*}
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=com.rastersoft.ding{,.*}
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.gnome.SessionManager{,.*}
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.gnome.SessionManager{,.*}
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.gnome.SettingsDaemon.*{,.*}
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.gnome.SettingsDaemon.*{,.*}
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),

  # System bus

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=RegisterAuthenticationAgent
       peer=(name=:*, label=polkitd),
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
       member=BeginAuthentication
       peer=(name=:*, label=polkitd),

  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       member={RegisterWithCapabilities,Unregister}
       peer=(name=:*, label=NetworkManager),

  dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(name=:*, label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=Can*
       peer=(name=:*, label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/login1/user/*
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=systemd-logind),

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-system),

  # Session bus

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-session),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=org.freedesktop.DBus, label=dbus-session),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-session),

  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
       peer=(name=org.a11y.atspi.Registry),

  dbus send bus=session path=/org/gtk/vfs/**
       interface=org.gtk.vfs.*
       peer=(name=:*, label=gvfsd*),

  dbus send bus=session path=/org/ayatana/NotificationItem/*
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*, label=update-notifier),

  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=:*, label="@{systemd_user}"),

  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
       member={AboutToShow,GetLayout,GetGroupProperties}
       peer=(name=:*),

  dbus send bus=session path=/StatusNotifierItem
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*),
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=org.freedesktop.DBus, label=dbus-session),

  @{exec_path} mr,

  @{bin}/Xwayland         rPx,
  @{lib}/polkit-1/polkit* rPx,
  @{lib}/*                rPUx,
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,

  /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,

  /opt/**/share/icons/{,**} r,
  /opt/*/**/*.png r,
  /snap/*/@{uid}/**.png r,
  /usr/share/{,zoneinfo-}icu/{,**} r,
  /usr/share/**.{png,jpg,svg} r,
  /usr/share/**/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-base/** r,
  /usr/share/desktop-directories/{,*.directory} r,
  /usr/share/egl/{,**} r,
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput*/ r,
  /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
  /usr/share/libinput*/libinput/ r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,

  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/AccountsService/icons/* r,

  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/appstream/**/icons/** r,
  /var/lib/flatpak/exports/share/gnome-shell/{,**} r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_cache_dirs}/ w,
  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
  owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{gdm_cache_dirs}/libgweather/ r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
  owner @{gdm_share_dirs}/icc/ r,
  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

  owner @{user_games_dirs}/**.{png,jpg,svg} r,
  owner @{user_music_dirs}/**.{png,jpg,svg} r,

  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/background r,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/tiling-assistant/{,**} rw,

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/ r,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/libgweather/{,**} rw,
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner /tmp/@{rand6}.shell-extension.zip rw,
  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  @{run}/udev/tags/seat/ r,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+dmi:id r,             # for motherboard info
  @{run}/udev/data/+acpi* r,
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+sound:card@{int} r,   # for sound card
  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
  @{run}/udev/data/+i2c:* r,
  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
  @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
  @{run}/udev/data/n@{int} r,

  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
  @{sys}/devices/@{pci}/net/*/statistics/{rx_bytes,tx_bytes} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,

  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/stat r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/input/event@{int} rw,
  /dev/media@{int} rw,
  /dev/tty@{int} rw,

  include if exists <local/gnome-shell>
}
