# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/gnome-terminal-server
profile gnome-terminal-server /{,usr/}lib{,exec,32,64}/gnome-terminal-server flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>

  signal (send) set=(hup) peer=htop,
  signal (send) set=(term hup kill) peer=unconfined,

  ptrace (read) peer=htop,
  ptrace (read) peer=unconfined,

  dbus bind bus=session name=org.gnome.Terminal{,.*},
  dbus receive bus=session path=/org/gnome/Terminal{,/**}
       interface=org.gnome.Terminal{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Terminal{,/**}
       interface=org.gtk.Actions
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Terminal{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Terminal{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/Terminal{,/**}
       interface=org.gnome.Terminal{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Terminal{,/**}
       interface=org.gtk.Actions
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Terminal{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Terminal{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Terminal{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
       peer=(name=:*, label=gnome-shell),

  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),

  @{exec_path} mr,

  # The shell is not confined on purpose.
  @{bin}/@{shells}            rUx,

  # Some CLI program can be launched directly from Gnome Shell
  @{bin}/htop                 rPx,
  @{bin}/micro               rPUx,
  @{bin}/nvtop                rPx,

  @{open_path}                rPx -> child-open,

  /usr/share/icu/@{int}.@{int}/*.dat r,

  /etc/shells r,

  owner @{user_config_dirs}/*xdg-terminals.list* rw,
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /tmp/#@{int} rw,

  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/cgroup r,

  /dev/ptmx rw,

  include if exists <local/gnome-terminal-server>
}
