# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/nemo
profile nemo /{,usr/}{,s}bin/nemo flags=(complain) {
  include <abstractions/base>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

  # This should be tightened when the "profile has merged rule with conflicting x modifiers" error
  # will be fixed. (#FIXME#)
  include <abstractions/app-launcher-user>
  include <abstractions/app-launcher-root>

  # For root window
  deny capability dac_read_search,
  deny capability dac_override,

  # Needed?
  deny capability sys_nice,

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  @{lib}/@{multiarch}/nemo/** mrix,

  @{lib}/gvfsd-*              rPx,

  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/fd/ r,

  # To read/write files in the system. The read permission is granted for all files, the write
  # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
  # the list.
        /         r,
        /boot/    r,
        /boot/**  r,
  owner /boot/**  rw,
        /etc/     r,
        /etc/**   r,
  owner /etc/**   rw,
        /home/    r,
        /home/**  r,
  owner /home/**  rw,
        /lost+found/ r,
        /lost+found/** r,
  owner /lost+found/** rw,
        @{MOUNTS}/   r,
        @{MOUNTS}/** r,
  owner @{MOUNTS}/** rw,
        /opt/     r,
        /opt/**   r,
  owner /opt/**   rw,
        /root/    r,
        /root/**  r,
  owner /root/**  rw,
        @{run}/   r,
        @{run}/** r,
  owner @{run}/** rw,
        /srv/     r,
        /srv/**   r,
  owner /srv/**   rw,
        /tmp/     r,
        /tmp/**   r,
  owner /tmp/**   rw,
        /usr/     r,
        /usr/**   r,
  owner /usr/**   rw,
        /var/     r,
        /var/**   r,
  owner /var/**   rw,

  include if exists <local/nemo>
}
