# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{name} = thunderbird{,.sh,-bin} 
@{lib_dirs} = @{lib}/@{name}
@{config_dirs} = @{HOME}/.@{name}/
@{cache_dirs} = @{user_cache_dirs}/@{name}/

@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
profile thunderbird /{{,usr/}{,s}bin/thunderbird{,.sh,-bin},{,usr/}{,s}bin/,{,usr/}lib{,exec,32,64}/thunderbird{,.sh,-bin}/thunderbird{,.sh,-bin},{,usr/}lib{,exec,32,64}//} flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/uim>
  include <abstractions/user-download-strict>

  userns,

  capability sys_admin, # If kernel.unprivileged_userns_clone = 1
  capability sys_chroot, # If kernel.unprivileged_userns_clone = 1

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  ptrace peer=@{profile_name},

  dbus bind bus=session name=org.mozilla.thunderbird{,.*},
  dbus receive bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.mozilla.thunderbird{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.mozilla.thunderbird{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/mozilla/thunderbird{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  dbus receive bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={UserAdded,UserRemoved}
       peer=(name=:*, label=systemd-logind),

  dbus receive bus=system
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mrix,

  @{sh_path}                rix,
  @{bin}/which.debianutils  rix,

  @{lib_dirs}/{,**}                            r,
  @{lib_dirs}/*.so                            mr,
  @{lib_dirs}/glxtest                        rPx,
  @{lib_dirs}/thunderbird-wrapper-helper.sh  rix,
  @{lib_dirs}/vaapitest                      rPx,

  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,

  # GPG integration
  @{bin}/gpg{,2}     rPx,
  @{bin}/gpgconf     rPx,
  @{bin}/gpgsm       rPx,

  # Desktop integration
  @{bin}/lsb_release rPx -> lsb_release,
  @{open_path}       rPx -> child-open,

  # Allowed apps to open
  @{bin}/engrampa                                         rPx,
  @{bin}/geany                                            rPx,
  @{bin}/qpdfview                                         rPx,
  @{bin}/viewnior                                        rPUx,
  @{brave_path}                                           rPx,
  @{chrome_path}                                          rPx,
  @{firefox_path}                                         rPx,
  @{opera_path}                                           rPx,

  /usr/share/@{name}/{,**} r,
  /usr/share/gvfs/remote-volume-monitors/{,*} r,
  /usr/share/lightning/{,**} r,
  /usr/share/mozilla/extensions/{,**} r,
  /usr/share/qt5ct/** r,
  /usr/share/xul-ext/kwallet5/* r,

  /etc/@{name}/{,**} r,
  /etc/fstab r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/timezone r,
  /etc/xul-ext/kwallet5.js r,

  owner /var/mail/* rwk,

  owner @{HOME}/ r,

  owner @{user_config_dirs}/kwalletrc r,
  owner @{user_config_dirs}/mimeapps.list.* rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,

  owner @{user_mail_dirs}/ rw,
  owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,

  owner @{config_dirs}/ rw,
  owner @{user_config_dirs}/gtk-3.0/assets/* r,
  owner @{config_dirs}/*/ rw,
  owner @{config_dirs}/*/** rwk,
  owner @{config_dirs}/installs.ini rw,
  owner @{config_dirs}/profiles.ini rw,

  owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,

  owner @{cache_dirs}/{,**} rw,

        /tmp/ r,
    /var/tmp/ r,
  owner /tmp/@{name}{,_*}/ rw,
  owner /tmp/@{name}{,_*}/* rwk,
  owner /tmp/* rw,
  owner /tmp/mozilla_*/ rw,
  owner /tmp/mozilla_*/* rw,
  owner /tmp/MozillaMailnews/ rw,
  owner /tmp/MozillaMailnews/*.msf rw,
  owner /tmp/Temp-@{uuid}/ rw,

  @{run}/mount/utab r,

  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,

        @{PROC}/@{pids}/net/arp r,
        @{PROC}/@{pids}/net/route r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/smaps r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1

        /dev/shm/ r,
  owner /dev/shm/org.chromium.* rw,
  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

  /dev/tty rw,

  # file_inherit
  owner /dev/tty@{int} rw,
  owner @{HOME}/.xsession-errors w,

  # Silencer
  deny @{HOME}/.mozilla/** mrwkl,
  deny @{config_dirs}/*.*/pepmda/ rw,
  deny @{config_dirs}/*.*/pepmda/** rwklmx,
  deny @{lib_dirs}/** w,
  deny /dev/ r,
  deny /dev/urandom w,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/thunderbird>
}
