# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/xinit
profile xinit @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  signal (receive) set=(usr1) peer=xorg,

  signal (send) set=(term, kill) peer=xorg,
  signal (send) set=(hup),

  @{exec_path} mr,

  @{bin}/               r,
  @{sh_path}          rix,
  @{bin}/{,e}grep     rix,
  @{bin}/{m,g,}awk    rix,
  @{bin}/cat          rix,
  @{bin}/chmod        rix,
  @{bin}/date         rix,
  @{bin}/head         rix,
  @{bin}/id           rix,
  @{bin}/mktemp       rix,
  @{bin}/rm           rix,
  @{bin}/sed          rix,
  @{bin}/tail         rix,
  @{bin}/tempfile     rix,
  @{bin}/touch        rix,
  @{bin}/which{,.debianutils}    rix,
  /etc/X11/xinit/xinitrc   rix,
  /etc/X11/xinit/xserverrc rix,

  @{bin}/dbus-update-activation-environment rix,

  @{bin}/gpgconf     rPx,
  @{bin}/run-parts   rCx -> run-parts,
  @{bin}/udevadm     rCx -> udevadm,

  @{bin}/flatpak     rPx,
  @{bin}/glxinfo     rPx,
  @{bin}/numlockx    rPx,
  @{bin}/X           rPx,
  @{bin}/xhost       rPx,
  @{bin}/Xorg        rPx,
  @{bin}/xrdb        rPx,

  # Allowed GUI sessions to start
  @{bin}/openbox-session      rPx,
  @{bin}/enlightenment_start rPUx,
  @{bin}/sway                rPUx,
  @{bin}/ssh-agent            rPx,

  # Allow custom GUI launcher to start
  @{bin}/*           rPUx,
  @{lib}/**          rPUx,

  /etc/X11/{,**} r,
  /etc/default/{,*} r,

  owner @{HOME}/ r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xserverrc r,
  owner @{HOME}/.xsession-errors w,

  owner /tmp/file* rw,
  owner /tmp/tmp.* rw,

  /dev/tty rw,

  profile run-parts {
    include <abstractions/base>

    @{bin}/run-parts mr,

    /etc/X11/Xsession.d/ r,
    /etc/X11/Xresources/ r,

    # file_inherit
    owner /dev/tty@{int} rw,
    owner @{HOME}/.xsession-errors w,

    include if exists <local/xinit_run-parts>
  }

  profile udevadm {
    include <abstractions/base>

    @{bin}/udevadm mr,

    /etc/udev/udev.conf r,

    @{run}/udev/data/* r,
  
    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
    @{sys}/class/ r,
    @{sys}/class/*/ r,
    @{sys}/devices/**/uevent r,
    @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

          @{PROC}/1/environ r,
          @{PROC}/1/sched r,
          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,
    owner @{PROC}/@{pid}/stat r,

    # file_inherit
    owner /dev/tty@{int} rw,
    owner @{HOME}/.xsession-errors w,

    include if exists <local/xinit_udevadm>
  }

  include if exists <local/xinit>
}