# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path}  = "/home/*/Desktop/Beyond All Reason.AppImage"
@{exec_path} += /home/*/Desktop/BeyondAllReason.AppImage
profile appimage-beyond-all-reason @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/X>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/ssl_certs>
  include <abstractions/audio>

  capability sys_ptrace,

  # For kernel unprivileged user namespaces
  capability sys_admin,
  capability sys_chroot,
  capability setuid,
  capability setgid,
  owner @{PROC}/@{pid}/setgroups w,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/uid_map w,

  network netlink raw,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh                 rix,
  /{usr/,}bin/xmessage                   rix,

  /{usr/,}bin/x86_64-linux-gnu-addr2line rix,

  /{usr/,}bin/fusermount{,3}             rPx,

  mount fstype={fuse,fuse.*} -> /tmp/.mount_Beyond*/,

    /var/tmp/ r,
	    /tmp/ r,
	    /tmp/.mount_Beyond*/  rw,
	    /tmp/.mount_Beyond*/beyond-all-reason rix,
	    /tmp/.mount_Beyond*/AppRun rix,
	    /tmp/.mount_Beyond*/bin/* rix,
	    /tmp/.mount_Beyond*/resources/app.asar.unpacked/node_modules/** rix,
	    /tmp/.mount_Beyond*/**  r,
	    /tmp/.mount_Beyond*/**.so{,.[0-9]*} mr,
  owner /tmp/.org.chromium.Chromium.*/ rw,
  owner /tmp/.org.chromium.Chromium.*/SingletonCookie rw,
  owner /tmp/.org.chromium.Chromium.*/SS rw,
  owner /tmp/.org.chromium.Chromium.*/*.png rw,
  owner /tmp/.org.chromium.Chromium.* rw,

  owner @{HOME}/.config/Beyond-All-Reason/ rw,
  owner @{HOME}/.config/Beyond-All-Reason/** rwk,

  owner "@{HOME}/Beyond All Reason/" rw,
  owner "@{HOME}/Beyond All Reason/**" rwkm,
  owner "@{HOME}/Beyond All Reason/engine/**/spring" rix,

  owner @{HOME}/.spring/ rw,
  owner @{HOME}/.spring/** rw,

  owner @{HOME}/.pki/ rw,
  owner @{HOME}/.pki/nssdb/ rw,
  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,

             @{PROC}/ r,
       owner @{PROC}/@{pid}/fd/ r,
  deny owner @{PROC}/@{pid}/cmdline r,
             @{PROC}/@{pids}/stat r,
       owner @{PROC}/@{pids}/statm r,
       owner @{PROC}/@{pids}/task/ r,
       owner @{PROC}/@{pids}/task/@{tid}/status r,
       owner @{PROC}/@{pid}/oom_{,score_}adj r,
  deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
             @{PROC}sys/fs/inotify/max_user_watches r,
             @{PROC}/sys/kernel/yama/ptrace_scope r,

  owner /dev/shm/.org.chromium.Chromium.* rw,

  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/pci[0-9]*/**/class r,
  @{sys}/devices/virtual/tty/tty0/active r,

  /dev/fuse rw,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  include if exists <local/appimage-beyond-all-reason>
}