# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}

@{exec_path} = @{lib}/electron@{int}/electron
profile code flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/chromium-common>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability sys_ptrace,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  signal (send),

  @{exec_path} mrix,

  @{lib}/code/node_modules.asar.unpacked/**.node rm,

  # Core tools
  @{bin}/git                    rPx,
  @{bin}/gpg{,2}                rPx,
  @{bin}/lsb_release            rPx -> lsb_release,
  @{bin}/rg                     rix,
  @{open_path}                  rPx -> child-open,

  # The shell is not confined on purpose.
  @{bin}/@{shells}              rUx,

  # Confine some common tools
  @{lib}/code/extensions/git/dist/askpass.sh     rPx,
  @{lib}/code/extensions/git/dist/git-editor.sh  rPx,

  # Do NOT confine most of the extensions
  @{bin}/[a-z0-9]*                   rPUx,
  @{code_config_dirs}/extensions/**  rPUx,
  @{HOME}/.go/bin/*                  rPUx,
  @{lib}/go/bin/*                    rPUx,
  @{bin}/python3.@{int}               rUx,

  /etc/shells r,
  /etc/lsb-release r,

  owner @{HOME}/@{XDG_SSH_DIR}/config r,

  owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**,

  owner @{user_projects_dirs}/ r,
  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,

  owner /tmp/@{uuid} rw,
  owner /tmp/vscode-*/{,**} rw,
  owner /tmp/vscode-ipc-@{uuid}.sock rw,

  owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
  owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw,
  owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw,

  @{run}/systemd/inhibit/*.ref rw,

  @{sys}/devices/system/cpu/present r,
  @{sys}/devices/system/cpu/kernel_max r,
  @{sys}/devices/virtual/tty/tty@{int}/active r,

        @{PROC}/ r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/loadavg r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm w,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pids}/clear_refs w,
  owner @{PROC}/@{pids}/task/ r,
  owner @{PROC}/@{pids}/task/@{tid}/status r,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/code>
}