# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2020 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/conky
profile conky @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  # To get the external IP address
  # For samba share mounts
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  # For dig
  #network inet stream,
  #network inet6 stream,
  #network netlink raw,

  @{exec_path} mr,

  # Needed tools to render conky output
  @{sh_path}        rix,
  @{bin}/cp         rix,
  @{bin}/rm         rix,
  @{bin}/sed        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/tr         rix,
  @{bin}/uniq       rix,
  @{bin}/head       rix,
  @{bin}/cut        rix,
  @{bin}/date       rix,
  @{bin}/cat        rix,
  @{bin}/wc         rix,
  @{bin}/sed        rix,
  @{bin}/sleep      rix,

  # For external IP address
  #@{bin}/dig        rix,
  #owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  # To remove the following error:
  #  .conky/Accuweather_conky_script/accuweather: line 917: /usr/bin/pkill: Permission denied
  @{bin}/pgrep   rix,
  @{PROC}/sys/kernel/osrelease r,

  # Browsers to fetch remote content
  @{bin}/wget rCx -> browse,
  @{bin}/curl rCx -> browse,
  @{bin}/lynx rCx -> browse,
  @{bin}/w3m  rCx -> browse,

  # Conky home files
  owner @{HOME}/ r,
  owner @{HOME}/.conky/ r,
  owner @{HOME}/.conky/** rw,

  # Display images (graphic) inside of the conky window
  @{lib}/@{multiarch}/imlib2/loaders/*.so mr,

  # Get the PRETTY_NAME name from /etc/os-release link
  /etc/ r,

  # Get the kernel version and its architecture via "uname -r"
  @{bin}/uname rix,

  # Display machine's hostname
  /etc/hostname r,

  # Display machine's uptime
  @{PROC}/uptime r,

  # Get the number of CPU cores
  @{sys}/devices/system/cpu/present r,

  # Get the current frequency of the CPU
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,

  # Get load average values for 1, 5 and 15 minutes
  @{PROC}/loadavg r,

  # Display processes' status
  @{PROC}/ r,
  # Get the PID value
  @{PROC}/@{pid}/stat r,
  # Get the name, %CPU and %RAM values
  @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/io r,
  # Not needed
  deny capability sys_ptrace,
  deny ptrace (trace, read),

  # Display the hard disk model name
  @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r,
  @{sys}/block/{s,v}d[a-z]/device/model r,
  # Display the disk write/read speed
  @{PROC}/diskstats r,
  # Get the mount point names
  owner @{PROC}/@{pid}/mounts r,
  # /etc/mtab r,

  # Display WiFi network status, which includes the following:
  #  ESSID, AP's MAC, bitrate, signal strength, IP address and down/up speed
  @{PROC}/@{pid}/net/dev r,
  # Display IPv6 address of an interface
  @{PROC}/@{pid}/net/if_inet6 r,

  # Display the number of active TCP/TCP6 connections
  @{PROC}/@{pid}/net/tcp{,6} r,

  # Xserver auth cookie for clients
  owner @{HOME}/.Xauthority r,

  /dev/shm/#@{int} rw,

  # Temperatures and Fans
  @{bin}/sensors rPUx,
  @{sys}/devices/**/hwmon@{int}/temp@{int}_input r,
  @{sys}/devices/**/hwmon/hwmon@{int}/temp@{int}_input r,
  @{sys}/class/hwmon/ r,
  @{PROC}/acpi/ibm/fan r,

  # Display network data transfer status
  @{bin}/vnstat rPUx,

  # Display Secure Boot status
  @{bin}/mokutil rPUx,

  @{PROC}/@{pid}/net/route r,

  owner /tmp/xauth-@{int}-_[0-9] r,

  /usr/share/X11/XErrorDB r,

  # file_inherit
  owner /dev/tty@{int} rw,
  owner @{HOME}/.xsession-errors w,


  profile browse {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>

    network inet dgram,
    network inet6 dgram,
    network inet stream,
    network inet6 stream,
    network netlink raw,

    @{bin}/wget mr,
    @{bin}/curl mr,
    @{bin}/lynx mr,
    @{bin}/w3m  mr,

    @{sh_path}        rix,

    /etc/mime.types r,
    /etc/mailcap r,

    /etc/lynx/* r,
    /etc/wgetrc r,
    /etc/w3m/config r,
    /etc/w3m/mailcap r,

    owner @{HOME}/.wget-hsts rwk,
    owner @{HOME}/.w3m/ rw,
    owner @{HOME}/.w3m/** rw,

    owner @{HOME}/.conky/** rw,

    /usr/share/publicsuffix/public_suffix_list.* r,

    # file_inherit
    owner /dev/tty@{int} rw,
    deny @{PROC}/@{pids}/net/dev r,
    deny @{PROC}/@{pids}/net/tcp r,
    deny @{PROC}/@{pids}/net/tcp6 r,
    deny @{PROC}/@{pids}/net/if_inet6 r,
    deny @{PROC}/@{pids}/stat r,
    deny @{PROC}/diskstats r,
    deny @{PROC}/uptime r,
    deny @{PROC}/loadavg r,
    deny @{PROC}/@{pids}/cmdline r,
    deny @{PROC}/@{pids}/io r,
    deny @{PROC}/@{pid}/net/route r,
    deny @{sys}/devices/**/hwmon/**/temp*_input r,

  }

  include if exists <local/conky>
}