# Description: Can use the QtWebEngine and Morph.Web
# Usage: common

  # Morph
  /usr/share/qt5/resources/ r,
  /usr/share/qt5/resources/** r,
  /usr/share/qt5/translations/qtwebengine_locales/ r,
  /usr/share/qt5/translations/qtwebengine_locales/** r,
  /usr/share/morph-browser/ r,
  /usr/share/morph-browser/** r,
  /usr/bin/morph-browser r,

  ptrace (read, trace) peer=@{profile_name},
  signal peer=@{profile_name}//qwe_helper,

  # Allow communicating with sandbox
  unix (receive, send) peer=(label=@{profile_name}//qwe_helper),

  # FIXME: I would love this to be Cx (transition to subprofile). Unfortunately,
  # the "no new privs" restriction (since Linux 3.5) set by Chromium is preventing
  # this. Apparmor (in older versions) lacked the ability to determine if the
  # new profile is a subset of the old profile, and thus is blocked from
  # transitioning the profiles.
  #
  # And even if it does, we'll be blocked anyway since the subprofile below _does_
  # provide new privilege (sys_chroot, make sense since this profile is written
  # in the context of confined applications calling system binary). We don't want
  # applications to have sys_chroot (even though normally it's launched
  # unprivilleged). See https://pad.lv/1447345
  #
  # So, for now, uses ix (inherit profile). This means the qwe_helper subprofile
  # below is useless, but we'll leave it in since in the future "nnp override"
  # might become a thing.
  #
  # This mailling list message contains useful information:
  # https://lists.ubuntu.com/archives/apparmor/2018-November/011846.html
  /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess ixmr -> qwe_helper,

  @{PROC}/[0-9]*/task/[0-9]*/stat r,

  # QtWebEngine needs some read acces to proc
  @{PROC}/ r,
  @{PROC}/[0-9]*/ r,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/auxv r,
  @{PROC}/[0-9]*/mem r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/[0-9]*/task/ r,

  # LP: #1275917 (not a problem, but unnecessary)
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # LP: #1260044
  deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
  deny /usr/bin/locales/ w,

  # LP: #1260101
  deny /run/user/[0-9]*/dconf/user rw,
  deny owner @{HOME}/.config/dconf/user r,
  deny /custom/etc/dconf_profile r,

  # LP: #1357371 (webapp-container needs corresponding 'bind' call on
  # org.freedesktop.Application, which we block elsewhere. webapp-container
  # shouldn't be doing this under confinement, but we allow this rule in
  # content_exchange, so just allow it to avoid confusion)
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(label=unconfined),

  # LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
  owner @{HOME}/.pki/nssdb/ r,
  owner @{HOME}/.pki/nssdb/** rk,
  deny @{HOME}/.pki/nssdb/ w,
  deny @{HOME}/.pki/nssdb/** w,

  # LP: #
  /sys/bus/pci/devices/ r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu[0-9]*/cpufreq/{,policy[0-9]*/}cpuinfo_max_freq r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/pci[0-9]*/**/removable r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/pci[0-9]*/**/block/**/size r,
  /etc/udev/udev.conf r,

  # LP: #1260098
  /tmp/ r,
  /var/tmp/ r,

  # TODO: Maybe make this file app-specific, just like in Oxide 1.17.5+
  # This would entail patching QtWebEngine, which we might not want to...
  # See https://pad.lv/1260103, https://pad.lv/1577514
  owner /{dev,run}/shm/.org.chromium.Chromium.* rwk,

  profile qwe_helper (attach_disconnected) {
    #include <abstractions/base>

    # So long as we don't give /dev/binder, this should be 'ok'
    /{,android/}vendor/lib{,64}/*.so        mr,
    /{,android/}system/lib{,64}/*.so        mr,
    /{,android/}system/vendor/lib{,64}/*.so mr,
    /{,android/}odm/lib{,64}/*.so mr,
    /{,android/}system/build.prop      r,
    /{,dev/}socket/property_service rw, # attach_disconnected path

    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/auxv r,
    owner @{PROC}/[0-9]*/status r,
    owner @{PROC}/[0-9]*/task/ r,
    owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
    /sys/devices/system/cpu/ r,
    /sys/devices/system/cpu/cpu[0-9]*/cpufreq/{,policy[0-9]*/}cpuinfo_max_freq r,

    # For sandboxing.

    # Required for dropping into PID namespace. Keep in mind that until the
    # process drops this capability it can escape confinement, but once it
    # drops CAP_SYS_ADMIN we are ok.
    capability sys_admin,

    # All of these are for sanely dropping from root and chrooting
    capability chown,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability dac_override,
    capability dac_read_search,
    capability sys_chroot,

    capability sys_ptrace,
    ptrace (read, readby),
    signal peer=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION},

    unix peer=(label=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}),
    unix (create),
    unix peer=(label=@{profile_name}),
    unix (getattr, getopt, setopt, shutdown),

    # LP: #1260115
    deny @{PROC}/[0-9]*/oom_adj w,
    deny @{PROC}/[0-9]*/oom_score_adj w,

    /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rmix,

    #
    # For renderer
    #
    #include <abstractions/fonts>
    @{PROC}/sys/kernel/shmmax r,
    @{PROC}/sys/kernel/yama/ptrace_scope r,
    deny /etc/passwd r,
    deny /tmp/ r,
    deny /var/tmp/ r,

    # The renderer may need access to app-specific files, such as WebCore
    # databases
    owner @{HOME}/.local/share/@{APP_PKGNAME}/   rw,
    owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,

    # TODO: Maybe make this file app-specific, just like in Oxide 1.17.5+
    # This would entail patching QtWebEngine, which we might not want to...
    # See https://pad.lv/1260103, https://pad.lv/1577514
    /{dev,run}/shm/.org.chromium.Chromium.* rwk,

    # LP: #1260048
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/** rwk,
    
    /usr/share/qt5/resources/ r,
    /usr/share/qt5/resources/** r,
    /usr/share/qt5/translations/qtwebengine_locales/ r,
    /usr/share/qt5/translations/qtwebengine_locales/** r,
  }
