# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/htop
profile htop @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  # To be able to read the /proc/ files of all processes in the system.
  capability dac_read_search,

  # To manage priorities.
  capability sys_nice,

  # To terminate other users' processes when htop is started as root.
  capability kill,

  capability sys_ptrace,

  # Needed? (for system state)
  audit deny capability net_admin,

  signal (send),
  ptrace (read),

  network netlink raw,

  @{exec_path} mr,

  @{PROC}/ r,
  @{PROC}/loadavg r,
  @{PROC}/uptime r,
  @{PROC}/tty/drivers r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/pid_max r,
  @{PROC}/pressure/cpu r,
  @{PROC}/pressure/io r,
  @{PROC}/pressure/memory r,
  @{PROC}/diskstats r,

  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
  @{PROC}/@{pids}/environ r,
  @{PROC}/@{pids}/oom_{,score_}adj r,
  @{PROC}/@{pids}/oom_score r,
  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/wchan r,
  @{PROC}/@{pids}/io r,
  @{PROC}/@{pids}/comm r,

  @{PROC}/@{pids}/task/ r,
  @{PROC}/@{pids}/task/@{tid}/cmdline r,
  @{PROC}/@{pids}/task/@{tid}/stat r,
  @{PROC}/@{pids}/task/@{tid}/statm r,
  @{PROC}/@{pids}/task/@{tid}/environ r,
  @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
  @{PROC}/@{pids}/task/@{tid}/oom_score r,
  @{PROC}/@{pids}/task/@{tid}/cgroup r,
  @{PROC}/@{pids}/task/@{tid}/wchan r,
  @{PROC}/@{pids}/task/@{tid}/status r,
  @{PROC}/@{pids}/task/@{tid}/io r,
  @{PROC}/@{pids}/task/@{tid}/comm r,
  @{PROC}/@{pids}/net/dev r,

  owner @{PROC}/@{pid}/smaps_rollup r,

  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
  @{sys}/class/i2c-adapter/ r,
  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
  @{sys}/devices/**/hwmon/ r,
  @{sys}/devices/**/hwmon/{name,temp*} r,
  @{sys}/devices/**/hwmon/**/ r,
  @{sys}/devices/**/hwmon/**/{name,temp*} r,
  @{sys}/devices/**/hwmon[0-9]*/ r,
  @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/ r,
  @{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,

  owner @{HOME}/.config/htop/ rw,
  owner @{HOME}/.config/htop/htoprc rw,

  # When started in TTY, to remove the following error:
  #  htop[]: *** err
  #  /dev/tty2: Permission denied
  #  htop[]: *** err
  #  htop[]: Oh, oh, it's an error! possibly I die!
  /dev/tty[0-9]* rw,

  /etc/sensors.d/ r,
  /etc/sensors3.conf r,

  include if exists <local/htop>
}