# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{name} = floorp{,.sh,-esr,-bin}
@{lib_dirs} = @{lib}/@{name} /opt/@{name}
@{config_dirs} = @{HOME}/.floorp/
@{cache_dirs} = @{user_cache_dirs}/floorp/

@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
profile floorp /{{,usr/}{,s}bin/floorp{,.sh,-esr,-bin},{,usr/}lib{,exec,32,64}/floorp{,.sh,-esr,-bin}/floorp{,.sh,-esr,-bin},opt/floorp{,.sh,-esr,-bin}/floorp{,.sh,-esr,-bin}} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app/firefox>

  signal (send) set=(term, kill) peer=keepassxc-proxy,

  dbus bind bus=session name=org.mozilla.floorp{,.*},
  dbus receive bus=session path=/org/mozilla/floorp{,/**}
       interface=org.mozilla.floorp{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mozilla/floorp{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mozilla/floorp{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/mozilla/floorp{,/**}
       interface=org.mozilla.floorp{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mozilla/floorp{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mozilla/floorp{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/mozilla/floorp{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),
  dbus bind bus=session name=org.mpris.MediaPlayer2.floorp{,.*},
  dbus receive bus=session path=/org/mpris/MediaPlayer2
       interface=org.mpris.MediaPlayer2.floorp{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.mpris.MediaPlayer2.floorp{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=session path=/org/mpris/MediaPlayer2
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  @{exec_path} mrix,

  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
  @{lib}/mozilla/plugins/ r,
  @{lib}/mozilla/plugins/libvlcplugin.so mr,

  # Desktop integration
  @{bin}/gnome-software                              rpx,
  @{bin}/kreadconfig5                                rix,
  @{bin}/plasma-browser-integration-host             rpx,
  @{bin}/update-mime-database                        rpx,
  @{lib}/gvfsd-metadata                              rpx,
  @{lib}/mozilla/kmozillahelper                     rpux,
  @{open_path}                                       rpx -> child-open,

  # Common extensions
  /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rpx,
  @{bin}/browserpass         rpx,
  # As a temporary solution - see issue #128
  @{bin}/keepassxc-proxy     rix,

  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/kioslaverc r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,

  owner @{user_share_dirs}/applications/userapp-Floorp-@{rand6}.desktop{,.@{rand6}} rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,

  owner @{tmp}/.xfsm-ICE-@{rand6} rw,
  owner @{tmp}/@{rand6}.tmp r,
  owner @{tmp}/@{rand8}.txt w,
  owner @{tmp}/* w,  # file downloads (to anywhere)
  owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk,
  owner @{tmp}/mozilla* rw,
  owner @{tmp}/mozilla*/ rw,
  owner @{tmp}/mozilla*/* rwk,
  owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
  owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
  owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
  owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk,

  # Silencer
  deny @{lib_dirs}/** w,

  include if exists <local/floorp>
}

# vim:syntax=apparmor