# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{lib}/{,gdm/}gdm-session-worker
profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/nameservice-strict>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_nice,
  capability sys_resource,
  capability sys_tty_config,

  network netlink raw,

  signal (receive) set=term peer=gdm,
  signal (receive) set=hup peer=@{systemd},
  signal (send) set=hup peer=at-spi*,
  signal (send) set=hup peer=dbus-daemon,
  signal (send) set=hup peer=dbus-run-session,
  signal (send) set=hup peer=dconf-service,
  signal (send) set=hup peer=gjs-console,
  signal (send) set=hup peer=gnome-*,
  signal (send) set=hup peer=gsd-*,
  signal (send) set=hup peer=ibus-*,
  signal (send) set=hup peer=tracker-miner,
  signal (send) set=hup peer=xdg-permission-store,
  signal (send) set=hup peer=xorg,
  signal (send) set=hup peer=xwayland,
  signal (send) set=term peer=gdm-*-session,

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=*Session
       peer=(name=org.freedesktop.login1, label=systemd-logind),

  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
       interface=org.freedesktop.Accounts.User
       member=SetLanguage
       peer=(name=:*, label=accounts-daemon),

  @{exec_path} mrix,

  @{bin}/gnome-keyring-daemon             rPx,
  @{bin}/unix_chkpwd                      rPx,
  @{etc_ro}/X11/xdm/Xstartup             rPUx,
  @{lib}/{,gdm/}gdm-wayland-session       rPx,
  @{lib}/{,gdm/}gdm-x-session             rPx,
  /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
  /etc/gdm{3,}/PostLogin/Default          rix,
  /etc/gdm{3,}/PrimeOff/Default           rix,

  /usr/share/gdm/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
  /etc/default/locale r,
  /etc/gdm{3,}/custom.conf r,
  /etc/gdm{3,}/daemon.conf r,
  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/motd r,
  /etc/motd.d/ r,
  /etc/shells r,
  /etc/sysconfig/displaymanager r,
  /etc/sysconfig/windowmanager r,

  owner @{HOME}/.pam_environment r,

  owner @{run}/systemd/seats/seat@{int} r,
  owner @{run}/user/@{uid}/keyring/control rw,

  @{run}/cockpit/active.motd r,
  @{run}/faillock/[a-zA-z0-9]* rwk,
  @{run}/gdm{3,}/custom.conf r,
  @{run}/motd.d/{,*} r,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/utmp rwk,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
  owner @{PROC}/@{pid}/uid_map r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/1/limits r,
        @{PROC}/keys r,

  /dev/tty rw,
  /dev/tty@{int} rw,

  # Add user; set password on first login
  /etc/.pwd.lock wk,
  /etc/nshadow rw,
  /etc/shadow w,

  include if exists <local/gdm-session-worker>
}