# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2026 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no

# The per-app-dev-shm feature shares a single instance of /dev/shm between the
# application, any unrestricted subsandboxes that it creates, and any other
# instances of the application that are launched while it is running.

# We should theoretically allow all access of /dev/shm/ here. However, as it is
# a potential source of information leaks and confinement escapes, we only allow,
# we only allow some well-known paths that are used by the application.
# Baseapp can be used to allow access to more paths if needed.

  abi <abi/4.0>,

  include if exists <abstractions/flatpak/features/per-app-dev-shm.d>

# vim:syntax=apparmor
