# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/kwin_wayland
profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-shader-cache>
  include <abstractions/vulkan>
  include <abstractions/wayland>

  capability sys_nice,

  ptrace (read),

  signal (receive) set=term peer=sddm,
  signal (receive) set=(kill, term) peer=kwin_wayland_wrapper,
  signal (send) set=(kill, term) peer=xwayland,

  network netlink raw,

  @{exec_path} mr,

  @{bin}/plasmashell          r,
  @{bin}/Xwayland             rPx,
  @{lib}/kscreenlocker_greet  rPx,

  /usr/share/hwdata/pnp.ids r,
  /usr/share/kglobalaccel/{,**} r,
  /usr/share/knotifications5/ksmserver.notifyrc r,
  /usr/share/kservices5/{,**} r,
  /usr/share/kservicetypes5/{,*.desktop} r,
  /usr/share/kwin/{,**} r,
  /usr/share/libinput/{,**} r,
  /usr/share/mime/ r,
  /usr/share/plasma/desktoptheme/default/{metadata.json,plasmarc} r,
  /usr/share/qt/translations/*.qm r,
  /usr/share/X11/xkb/{,**} r,

  /etc/machine-id r,
  /etc/xdg/menus/{,applications.menu} r,
  /etc/pipewire/client.conf.d/ r,
  /usr/share/pipewire/client.conf r,
  

  owner /var/lib/sddm/.cache/#@{int} rw,
  owner /var/lib/sddm/.cache/fontconfig/* rw,
  owner /var/lib/sddm/.cache/mesa_shader_cache/** r,
  owner /var/lib/sddm/.cache/mesa_shader_cache/index rw,
  owner /var/lib/sddm/.cache/ksycoca5_* rwkl  -> /var/lib/sddm/.cache/#@{int},

  owner /var/lib/sddm/.config/#@{int} rw,
  owner /var/lib/sddm/.config/kdeglobals r,
  owner /var/lib/sddm/.config/kglobalshortcutsrc.lock rwk,
  owner /var/lib/sddm/.config/kglobalshortcutsrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int},
  owner /var/lib/sddm/.config/kwinrc.lock rwk,
  owner /var/lib/sddm/.config/kwinrc{,.@{rand6}} rwl -> /var/lib/sddm/.config/#@{int},

  owner @{user_cache_dirs}/{,plasma-svgelements} r,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_share_dirs}/kscreen/* r,
  owner @{user_cache_dirs}/ksycoca5_* r,
  owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw,

  owner @{user_config_dirs}/#@{int} rwl,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrc.lock rwk,
  owner @{user_config_dirs}/kwinrulesrc r,
  owner @{user_config_dirs}/kxkbrc r,
  owner @{user_config_dirs}/menus/{,applications-merged/} r,

  @{run}/systemd/inhibit/*.ref rw,

  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/input/ r,
  @{sys}/devices/**/uevent r,

  @{run}/udev/data/+acpi:* r,             # for ACPI
  @{run}/udev/data/+dmi* r,               # for ?
  @{run}/udev/data/+hid:* r,              # for HID subsystem
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+pci:* r,
  @{run}/udev/data/+platform:* r,         # for ?
  @{run}/udev/data/+sound:card@{int} r,
  @{run}/udev/data/+usb:* r,

  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c189:@{int} r,         # for /dev/bus/usb/**
  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*

  @{PROC}/sys/kernel/random/boot_id r,

  /dev/input/event@{int} rw,
  /dev/tty r,
  /dev/tty@{int} rw,

  include if exists <local/kwin_wayland>
}