# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/sddm
profile sddm /{,usr/}{,s}bin/sddm  flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bash-strict>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/kde-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_resource,
  capability sys_tty_config,

  network netlink raw,

  ptrace (read),
  ptrace (trace) peer=@{profile_name},

  signal (receive) set=(hup) peer=@{systemd},
  signal (send) set=(kill, term) peer=startplasma,
  signal (send) set=(kill, term) peer=xorg,
  signal (send) set=(term) peer=kwin_wayland,
  signal (send) set=(term) peer=sddm-greeter,
  signal (send) set=(term) peer=startplasma-wayland,

  dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=kscreenlocker-greet),

  dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(name=:*, label=systemd-logind),

  dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet),

  @{exec_path} mr,

  @{lib}/@{multiarch}/sddm/sddm-helper      rix,
  @{lib}/plasma-dbus-run-session-if-needed  rix,
  @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed  rix,
  @{lib}/sddm/sddm-helper                   rix,
  @{lib}/sddm/sddm-helper-start-wayland     rix,
  @{lib}/sddm/sddm-helper-start-x11user     rix,

  @{sh_path}           rix,
  @{bin}/cat           rix,
  @{bin}/checkproc     rix,
  @{bin}/disable-paste rix,
  @{bin}/locale        rix,
  @{bin}/manpath       rix,
  @{bin}/pidof         rix,
  @{bin}/readlink      rix,
  @{bin}/realpath      rix,
  @{bin}/tr            rix,
  @{bin}/tty           rix,
  @{bin}/uname         rix,
  @{bin}/xdm           r,
  @{bin}/xmodmap       rix,

  @{bin}/dbus-run-session     rPx -> dbus-session,
  @{bin}/flatpak              rPx,
  @{bin}/gnome-keyring-daemon rPx,
  @{bin}/kwalletd{5,6}        rPx,
  @{bin}/kwin_wayland         rPx,
  @{bin}/sddm-greeter{,-qt6}  rPx,
  @{bin}/startplasma-wayland  rPx,
  @{bin}/startplasma-x11      rPx,
  @{bin}/sway                rPUx,
  @{bin}/systemctl            rCx -> systemctl,
  @{bin}/xauth                rCx -> xauth,
  @{bin}/Xorg                 rPx,
  @{bin}/xrdb                 rPx,
  @{bin}/xset                 rPx,
  @{bin}/xsetroot             rPx,
  @{etc_ro}/sddm/wayland-session rPx,
  @{etc_ro}/sddm/Xsession     rPx,
  @{etc_ro}/X11/xdm/Xsession  rPx,

  /usr/etc/X11/xdm/Xsetup                 rix,
  /usr/share/sddm/scripts/wayland-session rix,
  /usr/share/sddm/scripts/Xsession        rix,
  /usr/share/sddm/scripts/Xsetup          rix,
  /usr/share/sddm/scripts/Xstop           rix,

  /usr/share/desktop-base/softwaves-theme/login/*.svg r,
  /usr/share/plasma/desktoptheme/** r,
  /usr/share/sddm/faces/.*.icon r,
  /usr/share/sddm/themes/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xsessions/{,*.desktop} r,
  /var/lib/AccountsService/icons/*.icon r,

  /etc/X11/xinit/xinitrc.d/{,*} r,

  /{usr/,}etc/environment r,
  /{usr/,}etc/security/limits.d/{,*.conf} r,
  /{usr/,}etc/X11/Xmodmap r,
  /etc/debuginfod/{,*} r,
  /etc/manpath.config r,
  /etc/default/locale r,
  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/sddm.conf r,
  /etc/sddm.conf.d/{,*} r,
  /etc/shells r,
  /etc/sysconfig/console r,
  /etc/sysconfig/displaymanager r,
  /etc/sysconfig/language r,
  /etc/sysconfig/mail r,
  /etc/sysconfig/proxy r,
  /etc/sysconfig/windowmanager r,

  / r,

  /var/lib/lastlog/ r,
  /var/lib/lastlog/* rwk,

  /var/lib/wtmpdb/ r,
  /var/lib/wtmpdb/* rwk,

        @{SDDM_HOME}/state.conf rw,
  owner @{SDDM_HOME}/** rw,
  owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.jsc mrw,
  owner @{sddm_cache_dirs}/sddm-greeter/qmlcache/*.qmlc mrw,

  owner @{HOME}/.local/ w,
  owner @{HOME}/.Xauthority rw,

  owner @{user_config_dirs}/menus/{,**} r,
  owner @{user_config_dirs}/startkderc r,

  owner @{user_share_dirs}/kwalletd/ rw,
  owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
  owner @{user_share_dirs}/sddm/ w,
  owner @{user_share_dirs}/sddm/wayland-session.log w,
  owner @{user_share_dirs}/sddm/xorg-session.log w,

        /tmp/sddm-* rw,
        /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
  owner /tmp/*/{,s} rw,
  owner /tmp/#@{int} rw,
  owner /tmp/sddm-auth* rw,

        @{run}/faillock/[a-zA-z0-9]* rwk,
        @{run}/sddm.pid rw,
        @{run}/sddm/\{@{uuid}\} rw,
        @{run}/sddm/#@{int} rw,
        @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
        @{run}/systemd/sessions/*.ref rw,
        @{run}/user/@{uid}/xauth_@{rand6} rwl,
  owner @{run}/sddm/ rw,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/kwallet5.socket rw,

        @{PROC}/ r,
        @{PROC}/uptime r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/1/limits r,

  /dev/tty@{int} rw,
  /dev/tty rw,

  profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/app/systemctl>
  
    include if exists <local/sddm_systemctl>
  }

  profile xauth flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>

    @{bin}/xauth mr,

    owner @{HOME}/.Xauthority-c  w,
    owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
    owner @{HOME}/.Xauthority-n rw,
    owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,

    owner @{user_share_dirs}/sddm/xorg-session.log w,

    owner @{run}/sddm/\{@{uuid}\}-c  w,
    owner @{run}/sddm/\{@{uuid}\}-l  wl -> @{run}/sddm/\{@{uuid}\}-c,
    owner @{run}/sddm/\{@{uuid}\}-n rw,
    owner @{run}/sddm/\{@{uuid}\}   rwl -> @{run}/sddm/\{@{uuid}\}-n,

    include if exists <local/sddm_xauth>
  }

  include if exists <local/sddm>
}
