# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec
profile linssid /{{,usr/}{,s}bin/linssid,{,usr/}{,s}bin/linssid-pkexec} flags=(complain) {
  include <abstractions/base>
  include <abstractions/X>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>

  # For reading/saving config/log files when linssid is started via pkexec
  #capability dac_read_search,
  #capability dac_override,

  # Needed?
  deny capability sys_admin,
  deny capability sys_nice,

  @{exec_path} mr,

  @{sh_path}        rix,
  @{bin}/cat        rix,

  # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two
  # following root processes:
  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
  #
  # Should this be allowed? Linssid works fine without this.
  #@{bin}/dbus-launch        rCx -> dbus,
  #@{bin}/dbus-send          rCx -> dbus,
  deny @{bin}/dbus-launch rx,
  deny @{bin}/dbus-send   rx,

  @{bin}/iw      rCx -> iw,
  @{bin}/pkexec      rPx,

  # For regular run as root user
  owner @{HOME}/.linssid.prefs rw,
  owner @{HOME}/LinSSID.datalog rw,
  # For pkexec
  #@{HOME}/.linssid.prefs rw,
  #@{HOME}/LinSSID.datalog rw,

  /usr/share/linssid/{,*} r,

  /usr/share/hwdata/pnp.ids r,

  owner @{user_config_dirs}/qt5ct/{,**} r,
  /usr/share/qt5ct/** r,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/net/wireless r,
  owner @{PROC}/@{pid}/cmdline r,

  owner /tmp/runtime-root/ rw,
  owner /tmp/linssid_* rw,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  # For shell pwd
  /root/ r,

  # file_inherit
  owner /dev/tty@{int} rw,


  profile iw flags=(complain) {
    include <abstractions/base>

    capability net_admin,
    deny capability sys_module,

    network netlink raw,

    @{bin}/iw mr,

    # file_inherit
    owner @{HOME}/.linssid.prefs rw,
    owner @{HOME}/LinSSID.datalog rw,
    owner /tmp/linssid_* rw,
    owner /dev/dri/card@{int} rw,

  }

  profile dbus flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    @{bin}/dbus-launch   mr,
    @{bin}/dbus-send     mr,
    @{bin}/dbus-daemon rPUx,

    # for dbus-launch
    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

    @{HOME}/.Xauthority r,
  }

  include if exists <local/linssid>
}
