# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/i3lock-fancy
profile i3lock-fancy @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>

  @{exec_path} r,
  @{bin}/{,ba,da}sh rix,

  @{bin}/rm         rix,
  @{bin}/fc-match   rix,
  @{bin}/getopt     rix,
  @{bin}/mktemp     rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/basename   rix,
  @{bin}/env        rix,

  @{bin}/i3lock     rPx,
  @{bin}/xrandr     rPx,

  @{bin}/convert-im6.q16 rCx -> imagemagic,
  @{bin}/import-im6.q16  rCx -> imagemagic,
  @{bin}/scrot           rCx -> imagemagic,

  owner /tmp/tmp.*.png rw,
  owner /tmp/tmp.* rw,
  owner /tmp/sh-thd.* rw,

  /usr/share/i3lock-fancy/{,*} r,

  # file_inherit
  owner /dev/tty@{int} rw,


  profile imagemagic {
    include <abstractions/base>
    include <abstractions/fonts>
    include <abstractions/fontconfig-cache-read>

    @{bin}/convert-im6.q16 mr,
    @{bin}/import-im6.q16  mr,
    @{bin}/scrot           mr,

    /usr/share/ImageMagick-[0-9]/*.xml r,
    /etc/ImageMagick-[0-9]/*.xml r,

    owner @{HOME}/.Xauthority r,

    /usr/share/i3lock-fancy/**.png r,

    # For gray scale (doesn't seem to be required). It produces files like /home/*/PIHFhJ .
    deny owner @{HOME}/* rw,

    owner /tmp/tmp.*.png rw,

    # file_inherit
    owner /dev/tty@{int} rw,

  }

  include if exists <local/i3lock-fancy>
}