# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# NEEDS-VARIABLE: name
# NEEDS-VARIABLE: domain
# NEEDS-VARIABLE: lib_dirs
# NEEDS-VARIABLE: config_dirs
# NEEDS-VARIABLE: cache_dirs

# Minimal set of rules for all electron based UI application. It works as a
# *function* and requires some variables to be provided as *arguments* and set
# in the header of the calling profile. Example:
#
# !!! quote ""
#
#     ```
#     @{name} = spotify
#     @{domain} = org.chromium.chromium
#     @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
#     @{config_dirs} = @{user_config_dirs}/@{name}
#     @{cache_dirs} = @{user_cache_dirs}/@{name}
#     ```
#

  abi <abi/4.0>,

  include <abstractions/common/chromium>
  include <abstractions/common/xdg>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/attached/nameservice-strict>
  include <abstractions/ssl_certs>

  @{bin}/xdg-mime rix,
  @{bin}/xdg-settings rix,

  @{bin}/electron rix,
  @{bin}/electron@{int} rix,
  @{lib}/electron@{int}/{,**} r,
  @{lib}/electron@{int}/chrome_crashpad_handler cx -> crashpad_handler,
  @{lib}/electron@{int}/electron  rix,

  @{lib_dirs}/{,**} r,
  @{lib_dirs}/*.so* mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.node mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so mr,
  @{lib_dirs}/{,resources/}app.asar.unpacked/node_modules/**.so.@{int} mr,
  @{lib_dirs}/chrome_crashpad_handler cx -> crashpad_handler,

  /etc/@{name}/{,**} r,

  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwlk,

  owner @{cache_dirs}/ rw,
  owner @{cache_dirs}/** rwlk,

  # For direct integration with xdg-mime and xdg-settings
  owner @{user_config_dirs}/mimeapps.list{,.new} rw,
  owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw,
  owner @{user_share_dirs}/applications/{,**} rw,

  owner @{user_config_dirs}/electron-flags.conf r,

  owner @{tmp}/.@{domain}.*/{,**} rw,

  @{att}@{run}/systemd/inhibit/@{int}.ref rw,

        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.high r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*-@{int}.scope/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,

  # This is an information leak
  owner @{PROC}/@{pid}/mountinfo r,

  # Provide statistical information about our own and other processes/threads
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/task/@{tid}/status r,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

  # Allow listing file descriptors for resource monitoring
  owner @{PROC}/@{pid}/fd/ r,

  # Allow reading of smaps_rollup, which is a summary of the memory use of a process
  owner @{PROC}/@{pid}/smaps_rollup r,

  # Reads of oom_adj and oom_score_adj are safe
  owner @{PROC}/@{pid}/oom_adj r,
  owner @{PROC}/@{pid}/oom_score_adj r,

  # Per man(5) proc, the kernel enforces that a thread may only modify its comm
  # value or those in its thread group.
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/version r,
        @{PROC}/version_signature r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,

  # gvfs-metadata contains user-specific data that should not be readable by apps
  deny @{user_share_dirs}/gvfs-metadata/* r,

  # This allows raising the OOM score of other processes owned by the user.
  deny owner @{PROC}/@{pid}/oom_score_adj w,

  profile crashpad_handler flags=(attach_disconnected,attach_disconnected.path=@{att}) {
    include <abstractions/attached/base>

    unix (send receive) type=seqpacket peer=(label=@{name}),

    @{lib}/electron@{int}/chrome_crashpad_handler mr,
    @{lib_dirs}/chrome_crashpad_handler mr,

    owner @{config_dirs}/Crashpad/{,**} rw,

    include if exists <abstractions/common/electron_crashpad_handler.d>
  }

  include if exists <abstractions/common/electron.d>

# vim:syntax=apparmor
