# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/flatpak
profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  # userns,

  capability dac_override,
  capability dac_read_search,
  capability net_admin,
  capability sys_ptrace,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,

  ptrace (read) peer=flatpak-app,

  @{exec_path} mr,

  @{bin}/bwrap               rPx -> flatpak-app,
  @{bin}/fusermount{,3}      rCx -> fusermount,
  @{bin}/gpg                 rCx -> gpg,
  @{bin}/gpgconf             rCx -> gpg,
  @{bin}/gpgsm               rCx -> gpg,
  @{lib}/revokefs-fuse       rix,

  /usr/share/flatpak/{,**} r,

  /etc/flatpak/{,**} r,
  /etc/pulse/client.conf r,

  / r,

  /var/lib/flatpak/{,**} rwlk,

        /var/tmp/#@{int} rw,
        /var/tmp/flatpak-cache-@{rand6}/{,**/} r,
  owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk,

  owner @{HOME}/.var/ w,
  owner @{HOME}/.var/app/{,**} rw,

  owner @{user_cache_dirs}/flatpak/{,**} rw,
  owner @{user_config_dirs}/pulse/client.conf r,
  owner @{user_config_dirs}/user-dirs.dirs r,

        @{user_share_dirs}/flatpak/{,**} r,
  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/flatpak/{,**} rwl,

        /tmp/#@{int} rw,
  owner /dev/shm/flatpak*/{,**} rw,
  owner @{tmp}/ostree-gpg-*/{,**} rw,

        @{run}/.userns r,
        @{run}/user/@{uid}/.dbus-proxy/ w,
        @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/.dbus-proxy/* rw,
  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/ rw,
  owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
  owner @{run}/user/@{uid}/app/ w,
  owner @{run}/user/@{uid}/app/*/ w,
  owner @{run}/user/@{uid}/systemd/private rw,

  @{sys}/module/nvidia/version r,

        @{PROC}/sys/fs/pipe-max-size r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/stat r,

  /dev/fuse rw,
  /dev/tty rw,
  /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,

  profile gpg {
    include <abstractions/base>
    include <abstractions/consoles>

    capability dac_read_search,

    @{bin}/gpg{,2}  mr,
    @{bin}/gpgconf  mr,
    @{bin}/gpgsm    mr,

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

    owner @{tmp}/ostree-gpg-*/ rw,
    owner @{tmp}/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,

    include if exists <local/flatpak_gpg>
  }

  profile fusermount {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    capability sys_admin,

    mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
    umount /var/tmp/flatpak-cache-*/*/,

    @{bin}/fusermount{,3} mr,

    /etc/fuse.conf r,

    @{PROC}/@{pids}/mounts r,

    /dev/fuse rw,

    include if exists <local/flatpak_fusermount>
  }

  include if exists <local/flatpak>
}