# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/wireplumber
profile wireplumber /{,usr/}{,s}bin/wireplumber flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-server>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  include <abstractions/video>

  network bluetooth raw,
  network bluetooth seqpacket,
  network bluetooth stream,
  network netlink raw,

  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0,

  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,

  /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
  /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,

  /usr/share/alsa-card-profile/{,**} r,
  /usr/share/spa-*/bluez@{int}/{,*} r,
  /usr/share/wireplumber/{,**} r,

  /etc/machine-id r,

  owner @{desktop_local_dirs}/ w,
  owner @{desktop_local_dirs}/state/ w,
  owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,

  owner @{HOME}/.local/ w,
  owner @{user_state_dirs}/ w,
  owner @{user_state_dirs}/wireplumber/{,**} rw,

  @{run}/systemd/users/@{uid} r,

  @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
  @{run}/udev/data/c81:@{int}  r,         # For video4linux
  @{run}/udev/data/c116:@{int} r,         # For ALSA
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/**/sound/**/pcm_class r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/media@{int} rw,
  /dev/snd/ r,

  include if exists <local/wireplumber>
}
