# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/anyremote
profile anyremote @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  signal (receive) set=(int, term, kill),
  signal (send) set=(term, kill),

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/basename   rix,
  @{bin}/cat        rix,
  @{bin}/curl       rix,
  @{bin}/cut        rix,
  @{bin}/expr       rix,
  @{bin}/find       rix,
  @{bin}/head       rix,
  @{bin}/id         rix,
  @{bin}/md5sum     rix,
  @{bin}/mkdir      rix,
  @{bin}/mv         rix,
  @{bin}/rm         rix,
  @{bin}/sed        rix,
  @{bin}/sleep      rix,
  @{bin}/tail       rix,
  @{bin}/tr         rix,
  @{bin}/wc         rix,
  @{bin}/which{,.debianutils}      rix,

  @{bin}/convert-im6.q16 rCx -> imagemagic,
  @{bin}/killall         rCx -> killall,
  @{bin}/pgrep           rCx -> pgrep,

  @{bin}/pacmd           rPx,
  @{bin}/pactl           rPx,
  @{bin}/ps              rPx,
  @{bin}/qtchooser       rPx,
  @{bin}/wmctrl          rPx,
  @{lib}/qt{5,6}/bin/qdbus rPx,

  # Players
  @{bin}/smplayer        rPx,
  @{bin}/amarok          rPx,
  @{bin}/vlc             rPx,
  @{bin}/mpv             rPx,
  @{bin}/strawberry      rPx,

  /usr/share/anyremote/{,**} r,
  /usr/share/anyremote/cfg-data/Utils/*.sh rix,

  owner @{HOME}/ r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.anyRemote/{,**} rw,
  owner @{HOME}/.anyRemote/imdb-mf.sh rix,

  owner @{tmp}/amarok_covers/ rw,
  owner @{tmp}/*.png rw,

  deny @{PROC}/sys/kernel/osrelease r,

  profile imagemagic {
    include <abstractions/base>

    @{bin}/convert-im6.q16 mr,

    /usr/share/anyremote/cfg-data/Icons/common/*.png r,
  
    /usr/share/ImageMagick-[0-9]/*.xml rw,
    /etc/ImageMagick-[0-9]/*.xml r,
  
    owner @{HOME}/.anyRemote/*.png rw,
    owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,

          /tmp/ r,
    owner @{tmp}/*.png rw,
    owner @{tmp}/amarok_covers/* rw,
    owner @{tmp}/magick-* rw,

    include if exists <local/anyremote_imagemagic>
  }

  profile killall {
    include <abstractions/base>
    include <abstractions/consoles>

    capability sys_ptrace,

    signal (send) set=(term, kill),

    ptrace (read),

    @{bin}/killall mr,

    # The /proc/ dir is needed to avoid the following error:
    #  /proc: Permission denied
         @{PROC}/ r,
         @{PROC}/@{pids}/stat r,

    # file_inherit
    owner @{HOME}/.anyRemote/anyremote.stdout w,

    include if exists <local/anyremote_killall>
  }

  profile pgrep {
    include <abstractions/base>
    include <abstractions/app/pgrep>

    owner @{HOME}/.anyRemote/anyremote.stdout w,

    include if exists <local/anyremote_pgrep>
  }

  include if exists <local/anyremote>
}

# vim:syntax=apparmor