# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/gnome-shell
profile gnome-shell /{,usr/}{,s}bin/gnome-shell  flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/bus/org.freedesktop.locale1>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.freedesktop.PackageKit>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.Metadata>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/video>

  capability sys_nice,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,

  ptrace (read),
  ptrace (readby) peer=pipewire,

  signal (receive) set=(term, hup) peer=gdm*,
  signal (send),

  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
  unix (send,receive) type=stream addr=none peer=(label=xwayland),
  unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

  # Owned by gnome-shell

  dbus bind bus=session name=org.gnome.keyring.SystemPrompter{,.*},
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.gnome.keyring.SystemPrompter{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/keyring/SystemPrompter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gnome.Mutter{,.*},
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.gnome.Mutter{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Mutter{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gnome.Shell{,.*},
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.gnome.Shell{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gnome/Shell{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  dbus bind bus=session name=com.canonical.Unity{,.*},
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=com.canonical.Unity{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=com.canonical.Unity{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/canonical/{U,u}nity
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=com.rastersoft.dingextension{,.*},
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=com.rastersoft.dingextension{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/com/rastersoft/dingextension{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gtk.Actions{,.*},
  dbus receive bus=session path=/**
       interface=org.gtk.Actions{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/**
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/**
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/**
       interface=org.gtk.Actions{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/**
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/**
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/**
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gtk.MountOperationHandler{,.*},
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.gtk.MountOperationHandler{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/MountOperationHandler{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.gtk.Notifications{,.*},
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.gtk.Notifications{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/gtk/Notifications{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.kde.StatusNotifierWatcher{,.*},
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.kde.StatusNotifierWatcher{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  # Talk with gnome-shell

  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.ColorManager{,.*}
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.ColorManager{,.*}
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus receive bus=system path=/org/freedesktop/ColorManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.ColorManager{,.*}}", label=colord),
  dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.login1{,.*}
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus receive bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.login1{,.*}
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus receive bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus receive bus=system path=/org/freedesktop/login1{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.login1{,.*}}", label=systemd-logind),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.gnome.DisplayManager{,.*}
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus send bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.gnome.DisplayManager{,.*}
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),
  dbus receive bus=system path=/org/gnome/DisplayManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.DisplayManager{,.*}}", label=gdm),

  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=com.rastersoft.ding{,.*}
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=com.rastersoft.ding{,.*}
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus receive bus=session path=/com/rastersoft/ding{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},com.rastersoft.ding{,.*}}", label=gnome-extension-ding),
  dbus send bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.gnome.ScreenSaver{,.*}
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus send bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus send bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus receive bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.gnome.ScreenSaver{,.*}
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus receive bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus receive bus=session path=/org/gnome/ScreenSaver{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.ScreenSaver{,.*}}", label=gjs-console),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.gnome.SessionManager{,.*}
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.gnome.SessionManager{,.*}
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus receive bus=session path=/org/gnome/SessionManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SessionManager{,.*}}", label=gnome-session-binary),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.gnome.SettingsDaemon.*{,.*}
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus send bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.gnome.SettingsDaemon.*{,.*}
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),
  dbus receive bus=session path=/org/gnome/SettingsDaemon/*{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.gnome.SettingsDaemon.*{,.*}}", label=gsd-*),

  # System bus

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=RegisterAuthenticationAgent
       peer=(name=:*, label=polkitd),
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
       member=BeginAuthentication
       peer=(name=:*, label=polkitd),

  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
       member={RegisterWithCapabilities,Unregister}
       peer=(name=:*, label=NetworkManager),

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-system),

  # Session bus

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-session),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=org.freedesktop.DBus, label=dbus-session),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
       peer=(name=org.freedesktop.DBus, label=dbus-session),

  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
       peer=(name=org.a11y.atspi.Registry),

  dbus send bus=session path=/org/gtk/vfs/**
       interface=org.gtk.vfs.*
       peer=(name=:*, label=gvfsd*),

  dbus send bus=session path=/org/ayatana/NotificationItem/*
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*, label=update-notifier),

  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
       peer=(name=:*, label="@{p_systemd_user}"),

  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
       member={AboutToShow,GetLayout,GetGroupProperties}
       peer=(name=:*),

  dbus send bus=session path=/StatusNotifierItem
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*),

  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*),
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=org.freedesktop.DBus, label=dbus-session),

  @{exec_path} mr,

  @{bin}/unzip                  rix,

  @{bin}/gjs-console            rpx,
  @{bin}/glib-compile-schemas   rpx,
  @{bin}/ibus-daemon            rpx,
  @{bin}/Xwayland               rpx,
  @{lib}/mutter-x11-frames      rpx,
  /{,usr/}lib{,exec,32,64}/polkit-[0-9]/polkit-agent-helper-[0-9] Px,
  /{,usr/}lib{,exec,32,64}/polkit-agent-helper-[0-9] Px,

  @{sh_path}                                           rcx -> shell,
  @{lib}/gio-launch-desktop                            rcx -> open,
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop   rcx -> open,

  @{user_share_dirs}/gnome-shell/extensions/*/**       rpux,
  /usr/share/gnome-shell/extensions/*/**               rpux,

  /opt/**/share/icons/{,**} r,
  /opt/*/**/*.png r,
  /snap/*/@{uid}/**.png r,
  /usr/share/{,zoneinfo-}icu/{,**} r,
  /usr/share/**.{png,jpg,svg} r,
  /usr/share/**/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/desktop-base/** r,
  /usr/share/desktop-directories/{,*.directory} r,
  /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/libgweather/Locations.xml r,
  /usr/share/libinput*/ r,
  /usr/share/libinput*/{,**/}@{int2}-*.quirks r,
  /usr/share/libinput*/libinput/ r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,
  @{system_share_dirs}/gnome-shell/{,**} r,

  / r,
  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
  /etc/tpm2-tss/*.json r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,

  /var/lib/AccountsService/icons/* r,

  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/appstream/**/icons/** r,

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_cache_dirs}/ w,
  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
  owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
  owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{gdm_cache_dirs}/libgweather/ r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
  owner @{gdm_share_dirs}/applications/{,**} r,
  owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
  owner @{gdm_share_dirs}/icc/ rw,
  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,

  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,

  owner @{user_games_dirs}/**.{png,jpg,svg} r,
  owner @{user_music_dirs}/**.{png,jpg,svg} r,

  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/background r,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/tiling-assistant/{,**} rw,

  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
  owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
  owner @{user_cache_dirs}/libgweather/{,**} rw,
  owner @{user_cache_dirs}/media-art/{,**} r,
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner @{tmp}/@{rand6}.shell-extension.zip rw,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  @{run}/udev/tags/seat/ r,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+dmi:id r,             # for motherboard info
  @{run}/udev/data/+acpi* r,
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+sound:card@{int} r,   # for sound card
  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
  @{run}/udev/data/+i2c:* r,
  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
  @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
  @{run}/udev/data/n@{int} r,

  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,

  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/stat r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/input/event@{int} rw,
  /dev/media@{int} rw,
  /dev/tty@{int} rw,

  profile shell  flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
  
    capability sys_ptrace,

    ptrace (read),

    @{sh_path} mr,
  
    @{bin}/pmap rix,
    @{bin}/grep rix,

    @{sys}/devices/system/node/ r,

          @{PROC}/uptime r,
    owner @{PROC}/@{pid}/cmdline r,
    owner @{PROC}/@{pid}/stat r,

    /dev/tty rw,

    include if exists <local/gnome-shell_shell>
  }

  profile open  flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>

    network inet stream,
    network unix stream,

    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
    @{lib}/gio-launch-desktop                               mr,

    @{lib}/**                     pux,
    @{bin}/**                     pux,
    /opt/*/**                     pux,
    /usr/share/*/**               pux,
    /usr/local/bin/**             pux,
    /usr/games/**                 pux,

    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 

    deny @{user_share_dirs}/gvfs-metadata/* r,

    include if exists <local/gnome-shell_open>
  }

  include if exists <local/gnome-shell>
}

# vim:syntax=apparmor
