# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/reportbug
profile reportbug @{exec_path} {
  include <abstractions/base>
  include <abstractions/wayland>
  include <abstractions/consoles>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/enchant>
  include <abstractions/python>
  include <abstractions/apt-common>
  include <abstractions/deny-root-dir-access>
  include <abstractions/deny-dconf>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,

  /usr/share/reportbug/handle_bugscript rix,

  /{usr/,}bin/ r,
  /{usr/,}sbin/ldconfig        rix,
  /{usr/,}bin/{,ba,da}sh       rix,
  /{usr/,}bin/stty             rix,
  /{usr/,}bin/readlink         rix,
  /{usr/,}bin/locale           rix,
  /{usr/,}bin/aa-enabled       rix,
  /{usr/,}sbin/selinuxenabled  rix,
  /{usr/,}bin/md5sum           rix,

  /{usr/,}bin/debconf-show     rPx,
  /{usr/,}bin/debsums          rPx,
  /{usr/,}bin/dlocate          rPx,
  /{usr/,}bin/apt-cache        rPx,
  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  /{usr/,}bin/dpkg-query       rpx,
  #
  /{usr/,}sbin/exim4           rPx,

  /{usr/,}bin/lsb_release      rPx -> child-lsb_release,
  /{usr/,}bin/dpkg             rPx -> child-dpkg,
  /{usr/,}bin/systemctl        rPx -> child-systemctl,
  /{usr/,}bin/pager            rPx -> child-pager,
  /{usr/,}bin/less             rPx -> child-pager,
  /{usr/,}bin/more             rPx -> child-pager,

  /{usr/,}bin/xdg-open         rCx -> open,
  /{usr/,}bin/run-parts        rCx -> run-parts,
  /{usr/,}bin/gpg              rCx -> gpg,

  # For sending additional information
  /etc/** r,

  /etc/reportbug.conf r,
  owner @{HOME}/.reportbugrc{,~} rw,

  # For shell pwd
  owner @{HOME}/ r,

  # Think what to do with it (#FIXME#)
  /usr/share/bug/*/{control,presubj} r,
  /usr/share/bug/* rPUx,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/** r,

  /{usr/,}lib/python3/dist-packages/pylocales/locales.db rk,

        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/sys/kernel/tainted r,

  @{sys}/module/apparmor/parameters/enabled r,

  owner     /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
  owner     /tmp/[a-z0-9]* rw,
  owner /var/tmp/*.bug{,~} rw,

  # Allowed apps to open
  /{usr/,}lib/firefox/firefox rPUx,


  profile run-parts {
    include <abstractions/base>

    /{usr/,}bin/run-parts mr,

  }

  profile gpg {
    include <abstractions/base>

    /{usr/,}bin/gpg mr,

    owner @{HOME}/.gnupg/ rw,
    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,

    owner /tmp/reportbug-*-{signed,unsigned}-[0-9]*-[0-9]*-* rw,

  }

  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>

    /{usr/,}bin/xdg-open mr,

    /{usr/,}bin/{,ba,da}sh      rix,
    /{usr/,}bin/gawk            rix,
    /{usr/,}bin/readlink        rix,
    /{usr/,}bin/basename        rix,

    owner @{HOME}/ r,

    owner @{run}/user/[0-9]*/ r,

    # Allowed apps to open
    /{usr/,}lib/firefox/firefox rPUx,

    # file_inherit
    owner @{HOME}/.xsession-errors w,

  }

  include if exists <local/reportbug>
}