# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path}  = @{bin}/libreoffice @{bin}/soffice
@{exec_path} += @{lib}/libreoffice/program/soffice
profile libreoffice /{{,usr/}{,s}bin/libreoffice,{,usr/}{,s}bin/soffice,{,usr/}lib{,exec,32,64}/libreoffice/program/soffice,{,usr/}lib{,exec,32,64}/libreoffice/program/soffice} flags=(complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  dbus bind bus=session name=org.libreoffice.LibreOfficeIpc0{,.*},
  dbus receive bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.libreoffice.LibreOfficeIpc0{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.libreoffice.LibreOfficeIpc0{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/libreoffice/LibreOfficeIpc0{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  @{exec_path} mr,

  @{sh_path}        rix,
  @{bin}/basename   rix,
  @{bin}/dirname    rix,
  @{bin}/grep       rix,
  @{bin}/ls         rix,
  @{bin}/paperconf  rix,
  @{bin}/sed        rix,
  @{bin}/uname      rix,

  @{open_path}      rpx -> child-open-browsers,

  @{bin}/gpgconf rpx,
  @{bin}/gpgsm rpx, 
  @{bin}/gpg rpx, 

  @{lib}/libreoffice/program/javaldx      rix,
  @{lib}/libreoffice/program/oosplash     rix,
  @{lib}/libreoffice/program/soffice.bin  rix,
  @{lib}/jvm/java*/bin/java              rix,
  @{lib}/jvm/java*/lib/** rm,

  @{lib}/libreoffice/{,**} rm,
  @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
  @{lib}/libreoffice/program/{,**/}__pycache__/ w,
  @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w,

  /usr/share/hyphen/{,**} r,
  /usr/share/libexttextcat/{,**} r,
  /usr/share/liblangtag/{,**} r,
  /usr/share/libreoffice/{,**} r,
  /usr/share/mythes/{,**} r,

  /etc/java-openjdk/{,**} r,
  /etc/libreoffice/{,**} r,
  /etc/paperspecs r,

  owner @{user_cache_dirs}/libreoffice/{,**} rw,
  owner @{user_config_dirs}/libreoffice/ rw,
  owner @{user_config_dirs}/libreoffice/** rwk,

  owner @{tmp}/@{rand6} rwk,
  owner @{tmp}/*.tmp/{,**} rwk,
  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w,
  owner @{tmp}/.java_pid@{int}{,.tmp} rw,
  owner @{tmp}/hsperfdata_@{user}/  rw,
  owner @{tmp}/hsperfdata_@{user}/@{int} rwk,

        @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
        @{sys}/devices/virtual/block/**/queue/rotational r,
        @{sys}/kernel/mm/hugepages/ r,
        @{sys}/kernel/mm/transparent_hugepage/enabled r,
        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,

        @{PROC}/cgroups r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/coredump_filter rw,
  owner @{PROC}/@{pid}/mountinfo r,

  /dev/tty rw,

  deny owner @{HOME}/.thunderbird/** rwk,
  deny owner @{HOME}/.mozilla/** rwk,

  include if exists <local/libreoffice>
}

# vim:syntax=apparmor
