# vim: ft=apparmor
#------------------------------------------------------------------
#    Copyright (C) 2024 Canonical Ltd.
#
#    Author: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>

#TODO: need to make these part of a proper desktop policy API, some may merge
#keep them separate for now
@{StatusNotifierWatcher}=unconfined
@{MountTracker}=unconfined
@{secrets}=unconfined
@{DBus}=unconfined
@{collection}=unconfined
@{NetworkManager}=unconfined
@{a11y}=unconfined
@{Settings}=unconfined

profile remmina /usr/bin/remmina {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gnome>
  include <abstractions/dbus>
  include <abstractions/dbus-session-strict>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/private-files-strict>
  include <abstractions/dconf>

  dbus (bind) bus=session name="org.remmina.Remmina",
  dbus (send) bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member={ListMountableInfo,LookupMount} peer=(label=@{MountTracker}),
  dbus (send) bus=session path="/org/freedesktop/secrets" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{secrets}),
  dbus (send) bus=session path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member={RequestName,ReleaseName,DescribeAll} peer=(label=@{DBus}),
  dbus (send) bus=session path="/org/freedesktop/secrets/collection/{login,session}" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{collection}),
  dbus (send) bus=system path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{NetworkManager}),
  dbus (send) bus=system path="/org/a11y/bus" interface="org.a11y.Bus" member=GetAddress peer=(label=@{a11y}),
  dbus (send) bus=system path="/org/gtk/Settings" interface="org.freedesktop.DBus.Properties" member=GetAll peer=(label=@{Settings}),
  dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member=Introspect peer=(label=@{StatusNotifierWatcher}),
  dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=@{StatusNotifierWatcher}),

  @{etc_ro}/fstab r,
  @{exec_path} mr,
  /usr/share/remmina/{,**} r,
  /var/lib/snapd/desktop/icons/{,**} r,
  /etc/debian_version r,
  /{,usr/}bin/python3.{1,}[0-9] mrix,
  /usr/bin/lsb_release Px -> lsb_release,

  owner @{HOME}/.cache/org.remmina.Remmina/{,**} rw,
  owner @{HOME}/.cache/remmina/{,**} rw,
  owner @{HOME}/.cache/thumbnails/{,**} r,
  owner @{HOME}/.config/autostart/remmina-applet.desktop{,**} r,
  # TODO: This should be mknod instead of w, and this should be behind prompt
  # hence why the rule is split.
  audit owner @{HOME}/.config/autostart/remmina-applet.desktop{,**} w,
  owner @{HOME}/.config/freerdp/known_hosts2 rwk,
  owner @{HOME}/.config/glib-2.0/settings/keyfile rw,
  owner @{HOME}/.config/remmina/{,**} rw,
  owner @{HOME}/.ssh/{config,known_hosts} r,
  owner @{HOME}/.local/share/remmina/{,**} rw,

  ## In order to import and export profiles
  owner @{HOME}/{,[^.]**} rw,

  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/mountinfo rw,

  ## dconf abstraction is read-only, adding write access
  owner @{run}/user/@{uid}/dconf/{,user} rw,

  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,

  /usr/bin/dash Px -> shell_browser,

  include if exists <local/remmina>
}

profile shell_browser {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/ubuntu-helpers>
  include <abstractions/ubuntu-browsers>
  network tcp,

  /usr/bin/dash r,
}
