CasperSecurity
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
include <abstractions/base>
include <abstractions/fonts>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/xdg-desktop>
include <abstractions/user-tmp>
include <abstractions/wayland>
# systemwide gtk defaults
/etc/gnome/gtkrc* r,
/etc/gtk/* r,
/usr/lib{,32,64}/gtk/** mr,
/usr/lib/@{multiarch}/gtk/** mr,
/usr/lib{,32,64}/gtk-[0-9]*/** mr,
/usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
# communitheme snap
/snap/communitheme/*/share/themes/ r,
/snap/communitheme/*/share/themes/** r,
# for gnome 1 applications
/etc/orbitrc r,
# gtk-2 needed some new rights
/etc/fonts/* r,
/etc/gtk-*/* r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib{,32,64}/gtk-*/** mr,
/usr/lib{,32,64}/gdk-pixbuf-*/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/lib/@{multiarch}/gtk-*/** mr,
/usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,
# per-user gtk configuration
owner @{HOME}/.config/gtk-3.0/ w,
owner @{HOME}/.config/gtk-3.0/* r,
owner @{HOME}/.gnome/Gnome r,
owner @{HOME}/.gtk r,
owner @{HOME}/.gtkrc r,
owner @{HOME}/.gtkrc-2.0 r,
owner @{HOME}/.gtk-bookmarks r,
owner @{HOME}/.themes/ r,
owner @{HOME}/.themes/** r,
owner @{user_share_dirs}/themes/ r,
owner @{user_share_dirs}/themes/** r,
# for gtk file dialog
owner @{HOME}/.config/gtk-2.0/ w,
owner @{HOME}/.config/gtk-2.0/** r,
owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
# from evolution-mail
owner @{HOME}/.gconfd/lock/* r,
owner @{HOME}/.gnome/application-info r,
# per-user font business
owner @{HOME}/.fonts.cache-* rwl,
# GtkComposeTable
owner @{HOME}/.cache/gtk-3.0/** r,
# icon caches
/var/cache/**/icon-theme.cache r,
/usr/share/**/icon-theme.cache r,
# GLib schemas
/usr/{local/,}share/glib-[0-9]*/schemas/ r,
/usr/{local/,}share/glib-[0-9]*/schemas/** r,
# gnome VFS modules
/etc/gnome-vfs-2.0/modules/ r,
/etc/gnome-vfs-2.0/modules/* r,
/usr/lib/gnome-vfs-2.0/modules/*.so mr,
/usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr,
# gvfs
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
@{PROC}/@{pid}/mounts r,
@{run}/mount/utab r,
# printing
/etc/papersize r,
/etc/cups/lpoptions r,
/usr/share/cups/charmaps/** r,
# holds MIT-MAGIC-COOKIE for gnome
owner @{run}/gdm/auth*/database r,
# mime-types
/etc/gnome/defaults.list r,
/etc/xdg/{,*-}mimeapps.list r,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
unix (send, receive, connect)
type=stream
peer=(addr="@/dbus-vfs-daemon/socket-*"),
# Include additions to the abstraction
include if exists <abstractions/gnome.d>