# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/xdg-mime
profile xdg-mime /{,usr/}{,s}bin/xdg-mime  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/freedesktop.org>

  @{exec_path} r,

  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/basename   rix,
  @{bin}/cut        rix,
  @{bin}/file       rix,
  @{bin}/head       rix,
  @{bin}/mv         rix,
  @{bin}/readlink   rix,
  @{bin}/realpath   rix,
  @{bin}/sed        rix,
  @{bin}/tr         rix,
  @{bin}/uname      rix,
  @{bin}/which{,.debianutils}      rix,

  @{bin}/gio        rPx,
  @{bin}/mimetype   rPx,
  @{bin}/xprop      rPx,
  @{bin}/ktraderclient5 rPUx,

  /usr/share/terminfo/** r,

  owner @{HOME}/.Xauthority r,
  owner @{user_config_dirs}/mimeapps.list{,.new} rw,

  owner @{run}/user/@{uid}/ r,

  @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
  @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,

  /dev/dri/card@{int} rw,
  /dev/tty rw,

  # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
  # following root processes:
  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
  #
  # Should this be allowed? Xdg-mime works fine without this.
  #@{bin}/dbus-launch        rCx -> dbus,
  #@{bin}/dbus-send          rCx -> dbus,
  deny @{bin}/dbus-launch rx,
  deny @{bin}/dbus-send   rx,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  profile dbus flags=(attach_disconnected,complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    @{bin}/dbus-launch   mr,
    @{bin}/dbus-send     mr,
    @{bin}/dbus-daemon  rPx,

          @{HOME}/.Xauthority r,
    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,

  }

  include if exists <local/xdg-mime>
}
