apparmor.d/apparmor.d/abstractions/fontconfig-cache-write

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

  owner @{user_cache_dirs}/fontconfig/ rw,
  owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
  owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,

  owner @{HOME}/.fontconfig/ rw,
  owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
  owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,

  owner @{HOME}/.fonts/ rw,
   link @{HOME}/.fonts/.uuid.LCK -> @{HOME}/.fonts/.uuid.TMP-*,
  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  r,
  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  w,

  # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
  # identify the font directory and is used to determine the cache filename if available.
  owner /usr/local/share/fonts/ rw,
  owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
   link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
  # Should writing to these dirs be blocked?
        /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  r,
  deny  /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  w,

        /var/cache/fontconfig/ rw,
  owner /var/cache/fontconfig/** rw,
  owner /var/cache/fontconfig/*.cache-[0-9]* rwk,
  owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
  owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,

  # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
  owner @{user_share_dirs}/fonts/ rw,
  owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw,
   link @{user_share_dirs}/fonts/**/.uuid.LCK -> /home/*/.local/share/fonts/**/.uuid.TMP-*,

  include if exists <abstractions/fontconfig-cache-write.d>