# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}lib/dconf/dconf-service /usr/libexec/dconf-service
profile dconf-service @{exec_path} {
  include <abstractions/base>

  # Needed?
  deny capability sys_nice,

  @{exec_path} mr,

  owner @{run}/user/[0-9]*/dconf/ rw,
  owner @{run}/user/[0-9]*/dconf/user rw,

  owner @{HOME}/.config/dconf/ rw,
  owner @{HOME}/.config/dconf/user{,.*} rw,

  owner @{HOME}/.cache/ rw,
  owner @{HOME}/.cache/dconf/ rw,
  owner @{HOME}/.cache/dconf/user rw,

  @{PROC}/cmdline r,

  include if exists <local/dconf-service>
}