# apparmor.d - Full set of apparmor profiles
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/rustdesk
profile rustdesk /{,usr/}{,s}bin/rustdesk flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability dac_override,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,  # discovery

  @{exec_path} mrix,

  @{bin}/w        rPx,
  @{bin}/ps       rPx,
  @{bin}/whoami   rPx,
  @{bin}/loginctl rPx,
  @{bin}/curl     rix,
  @{bin}/ls       rix,

  @{bin}/sudo rCx           -> sudo,
  @{bin}/python3.@{int} rPx -> rustdesk_python,
  @{sh_path}            rPx -> rustdesk_shell,

  /etc/gdm{,3}/custom.conf r,

  owner @{HOME}/ r,  # fails otherwise
  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,

  owner @{HOME}/.local/ w,
  owner @{user_share_dirs}/ w,
  owner @{user_share_dirs}/logs/ w,
  owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
  owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,

  /tmp/[rR]ust[dD]esk/{,**} rw,

  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,

        @{PROC}/uptime r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,

  profile sudo flags=(complain) {
    include <abstractions/base>
    include <abstractions/python>
    include <abstractions/app/sudo>

    @{bin}/rustdesk rPx,
    @{bin}/python3.@{int}    rPx -> rustdesk_python,

    include if exists <local/rustdesk_sudo>
  }

  include if exists <local/rustdesk>
}

profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py flags=(complain) {
  include <abstractions/base>

  @{exec_path} r,

  include if exists <local/rustdesk_pynput_service>
}

profile rustdesk_python flags=(complain) {
  include <abstractions/base>
  include <abstractions/python>

  capability dac_read_search,
  capability dac_override,

  @{bin}/python3.@{int} r,

  @{sh_path}        rix,
  @{bin}/chmod rix,
  @{bin}/uname rPx,
  /usr/share/rustdesk/files/pynput_service.py rPx,

  /usr/share/[rR]ust[dD]esk/files/{,**} r,
  /tmp/[rR]ust[dD]esk/ w,
  /tmp/[rR]ust[dD]esk/pynput_service rw,

  @{run}/user/@{uid}/gdm{,3}/Xauthority r,

  owner @{PROC}/@{pid}/fd/ r,

  # X-tiny
  /tmp/.X11-unix/* rw,
  owner @{HOME}/.xsession-errors w,
  owner @{HOME}/.Xauthority r,

  include if exists <local/rustdesk_python>
}

profile rustdesk_shell flags=(complain) {
  include <abstractions/base>

       capability sys_ptrace,
       capability dac_read_search,
  deny capability dac_override,

  ptrace (read),

  @{sh_path}        r,

  @{bin}/tr       rix,
  @{bin}/{,e}grep rix,
  @{bin}/tail     rix,
  @{bin}/xargs    rix,
  @{bin}/sed      rix,
  @{bin}/cat      rix,

  @{bin}/ps rPx,

  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/environ r,

  include if exists <local/rustdesk_shell>
}
