From 1d284c03c3f19445cde000759701e87cf16de9e9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 May 2022 17:11:20 +0100
Subject: [PATCH] feat(profiles): add spice-vdagent.

---
 apparmor.d/profiles-s-z/spice-vdagent  | 30 ++++++++++++++++++++++++++
 apparmor.d/profiles-s-z/spice-vdagentd | 28 ++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/spice-vdagent
 create mode 100644 apparmor.d/profiles-s-z/spice-vdagentd

diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
new file mode 100644
index 00000000..99757736
--- /dev/null
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/spice-vdagent
+profile spice-vdagent @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/gtk>
+
+  @{exec_path} mr,
+
+  /etc/machine-id r,
+  /etc/pipewire/client.conf r,
+
+  owner @{user_config_dirs}/user-dirs.dirs r,
+
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* rw,
+  owner @{run}/spice-vdagentd/spice-vdagent-sock rw,
+
+  @{sys}/devices/pci[0-9]*/**/{device,vendor} r,
+
+  /dev/dri/card[0-9]* rw,
+
+  include if exists <local/spice-vdagent>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd
new file mode 100644
index 00000000..0af212c2
--- /dev/null
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/spice-vdagentd
+profile spice-vdagentd @{exec_path} {
+  include <abstractions/base>
+
+  capability sys_nice,
+
+  @{exec_path} mr,
+
+  owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
+        @{run}/systemd/seats/seat[0-9]* r,
+        @{run}/systemd/sessions/[0-9]* r,
+        @{run}/systemd/users/@{uid} r,
+
+  @{PROC}/@{pids}/cgroup r,
+
+  /dev/uinput rw,
+  /dev/vport[0-9]*p[0-9]* rw,
+
+  include if exists <local/spice-vdagentd>
+}
\ No newline at end of file