# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2026 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/plasmalogin-helper
@{att} = /att/plasmalogin-helper/
profile plasmalogin-helper /{,usr/}lib{,exec,32,64}/plasmalogin-helper flags=(attach_disconnected,attach_disconnected.path=@{att}) {
  include <abstractions/attached/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/system/org.freedesktop.login1>
  include <abstractions/attached/nameservice-strict>

  capability audit_write,
  capability chown,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_tty_config,

  network netlink raw,

  unix bind type=stream addr=@@{udbus}/bus/plasmalogin-hel/system,

  signal receive set=term peer=plasmalogin,
  signal send set=term peer=startplasma-login-wayland,
  signal send set=term peer=startplasma,

  @{exec_path} mr,

  @{bin}/startplasma-login-wayland px,
  @{shells_path}                   px -> plasmalogin-shell,
  @{bin}/ksecretd                 pux,

  @{bin}/cat           rix,
  @{bin}/find          rix,
  @{bin}/tr            rix,
  @{bin}/tty           rix,
  @{bin}/xargs         rix,

  @{bin}/pidof          px,
  @{bin}/flatpak        cx -> flatpak,

  /usr/share/plasmalogin/scripts/wayland-session rix,
  /usr/share/plasmalogin/scripts/Xsession rix,
  /usr/share/plasmalogin/scripts/Xsetup rix,
  /usr/share/plasmalogin/scripts/Xstop rix,

  @{etc_ro}/profile.d/{,*} r,
  /etc/debuginfod/{,*} r,
  /etc/machine-id r,
  /etc/profile r,
  /etc/shells r,

  /var/lib/lastlog/ r,
  /var/lib/lastlog/* rwk,

  owner @{SDDM_HOME}/ rw,

  owner @{user_share_dirs}/kwalletd/ rw,
  owner @{user_share_dirs}/kwalletd/kdewallet.salt rw,
  owner @{user_share_dirs}/plasmalogin/wayland-session.log w,

  /tmp/plasmalogin-auth-@{uuid} rw,

        @{run}/faillock/@{user} rwk,
        @{run}/systemd/io.systemd.Login rw,
  owner @{run}/user/@{uid}/kwallet5.socket w,

        @{PROC}/@{pid}/loginuid w,
        @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/@{pid}/fd/ r,

  /dev/tty@{u8} rw,
  /dev/tty rw,

  profile flatpak {
    include <abstractions/attached/base>

    @{bin}/flatpak mr,

    include if exists <local/plasmalogin-helper_flatpak>
  }

  include if exists <local/plasmalogin-helper>
}

# vim:syntax=apparmor
