abi <abi/4.0>,

include <tunables/global>

@{CONFIGSUBDIRS}=org.gnome.Evolution evolution

include <abstractions/ubuntu-helpers>

profile evolution /usr/bin/evolution {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/X>
  include <abstractions/fonts>
  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/enchant>
  include <abstractions/ubuntu-helpers>
  include <abstractions/p11-kit-files>
  include <abstractions/evolution>
  include <abstractions/consoles>
  include <abstractions/vulkan>
  include <abstractions/nvidia>
  include <abstractions/mesa>
  include <abstractions/nssdb-user-files>

  network inet  stream,
  network inet6 stream,

  signal (send) peer=evolution-bubblewrap,
  signal (send) peer=evolution_ntlm_auth,

  /usr/share/xml/iso-codes/* r,
  /etc/gcrypt/random.conf r,

  /sys/devices/pci0000:00/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}                        r,
  /sys/devices/pci0000:00/**/drm/ r,

  /sys/fs/cgroup/memory/memory.{memsw.limit_in_bytes,limit_in_bytes,usage_in_bytes} r,
  owner /sys/fs/cgroup/memory/user.slice/user-*.slice/user@*.service/{memory.memsw.limit_in_bytes,memory.usage_in_bytes,memory.limit_in_bytes} r,
  owner /sys/fs/cgroup/user.slice/user-*.slice/user@*.service/app.slice/app-gnome-org.gnome.Evolution-*.scope/memory.{max,high,current} r,


  owner /run/user/*/webkitgtk/* rw,
  owner /run/user/*/webkitgtk/ rw,
  owner /run/user/*/.flatpak/ rw,
  owner /run/user/*/.flatpak/webkit-*/ rw,
  owner /run/user/*/.flatpak/webkit-*/bwrapinfo.json rw,

  # TODO: abstractions/gnome?
  /var/cache/gio-2.0/gnome-mimeapps.list r,

  owner /proc/@{pid}/mountinfo r,
  owner /proc/@{pid}/comm r,

  deny /usr/bin/nvidia-modprobe x,

  owner @{HOME}/               r,
  owner @{HOME}/Downloads/     r,
  owner @{HOME}/Downloads/**   rwlk,
  owner @{HOME}/.signature*    rwlk,

  owner @{HOME}/.cache/@{CONFIGSUBDIRS}/**       rwlk,
  owner @{HOME}/.config/evolution/        rwlk,
  owner @{HOME}/.config/evolution/**      rwlk,
  owner @{HOME}/.local/share/@{CONFIGSUBDIRS}/   r,
  owner @{HOME}/.local/share/@{CONFIGSUBDIRS}/** rwlk,
  owner @{HOME}/.local/share/webkitgtk/** rwlk,
  owner @{HOME}/.cache/thumbnails/**       r,
  owner @{HOME}/.local/share/gvfs-metadata/home r,
  owner @{HOME}/.local/share/gvfs-metadata/home-*.log r,


  include <abstractions/private-files>
  # TODO
  /usr/bin/gpgconf  PUx,
  /usr/bin/gpgsm    PUx,
  /usr/bin/gpg2     PUx,
  /usr/bin/gpg      PUx,
  /usr/bin/sa-learn PUx,

  /usr/lib{,exec}/libwebkit2gtk-*/WebKitWebProcess                                   Px -> evolution-webkit,
  /usr/lib{,exec}/libwebkit2gtk-*/WebKitNetworkProcess                               Px -> evolution-webkit-network,
  /usr/lib{,exec}/evolution-data-server/evolution-data-server/evolution-alarm-notify Px -> evolution-alarm-notify,
  /usr/bin/gio-launch-desktop                                                        Px -> evolution-gio-launch-desktop,
  /usr/libexec/gio-launch-desktop                                                    Px -> evolution-gio-launch-desktop,

  /usr/bin/bwrap                                                                     Px -> evolution-bubblewrap,
  /usr/bin/xdg-dbus-proxy                                                            Px -> evolution-xdg-dbus-proxy,

  # deny /{usr,}/bin/bash x,
  /{usr,}/bin/bash                                                                   Px -> evolution_bash,

  include if exists <local/usr.bin.evolution>
  include if exists <local/evolution>
}

profile evolution_bash {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>

  /{usr,}/bin/bash     rm,
  /usr/bin/ntlm_auth   Px -> evolution_ntlm_auth,
}

profile evolution_ntlm_auth {
  include <abstractions/base>

  /usr/bin/ntlm_auth rm,
  /etc/samba/smb.conf r,

  signal (receive) peer=evolution,
}

profile evolution-bubblewrap flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/gnome>
  include <abstractions/fonts>
  include <abstractions/openssl>
  include <abstractions/nvidia>
  include <abstractions/mesa>

  userns,

  /usr/share/evolution/** r,

  /usr/bin/bwrap rm,

  capability sys_admin,
  capability setpcap,
  capability sys_ptrace,
  capability net_admin,
  capability dac_override,

  # audit mount,

  # mount options in (ro, nosuid, nodev, remount, bind, relatime, noexec)                                                 -> /newroot/**,
  # mount options=(rw)                                                                                                    -> /oldroot/,
  # mount options=(rw, rbind)                                                                   /oldroot/**               -> /newroot/**,

  # mount options=(rw, silent, rslave)                                                                                    -> /,
  # # audit mount options=(rw, rprivate)                                                                                    -> /oldroot/,
  # mount options=(rw, nosuid, nodev)                                     fstype=tmpfs                                    -> /tmp/,
  # mount options=(rw, rbind)                                                                   /tmp/newroot/             -> /tmp/newroot/,
  # mount options=(rw, nosuid, noexec, nodev)                                                   proc                      -> /newroot/proc/,
  # mount options=(rw, nosuid, nodev)                                     fstype=tmpfs          tmpfs                     -> /newroot/{dev,tmp}/,
  # mount options=(rw, nosuid, noexec)                                    fstype=devpts         devpts                    -> /newroot/dev/pts/,
  # mount options=(ro, nosuid, nodev, remount, bind, silent, relatime)                          /oldroot/usr/lib          -> /newroot/lib,
#
  # mount options=(rw, rbind)                                                                   /bindfile*                -> /newroot/.flatpak-info,
  # mount options=(rw, rbind)                                                                   /oldroot/etc/             -> /newroot/etc/,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/null         -> /newroot/dev/null,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/zero         -> /newroot/dev/zero,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/full         -> /newroot/dev/full,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/tty          -> /newroot/dev/tty,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/console      -> /newroot/dev/console,
  # mount options=(rw, rbind)                                                                   /oldroot/dev/pts/*        -> /newroot/dev/console,
#
  # mount options=(rw, rbind)                                                                   /oldroot/dev/{u,}random   -> /newroot/dev/{u,}random,
  # mount options=(ro, nosuid, nodev, remount, bind, silent, relatime)                                                    -> /newroot/etc/,
  # # this is kinda ugly but it does first a rw,bind mount and then another with ro, nosuid, nodev, noexec, remount, bind, silent, relatime
  # mount options in (ro, rw, nosuid, nodev, noexec, remount, bind, silent, relatime)           /oldroot/sys/block/       -> /newroot/sys/block/,
  # mount options=(ro, nosuid, nodev, noexec, remount, bind, silent, relatime)                  /oldroot/sys/bus/         -> /newroot/sys/bus/,
  # mount options=(ro, nosuid, nodev, noexec, remount, bind, silent, relatime)                  /oldroot/sys/class/       -> /newroot/sys/class/,
  # mount options=(ro, nosuid, nodev, noexec, remount, bind, silent, relatime)                  /oldroot/sys/dev/         -> /newroot/sys/dev/,
  # mount options=(ro, nosuid, nodev, noexec, remount, bind, silent, relatime)                  /oldroot/sys/devices/     -> /newroot/sys/devices/,
  # audit mount options=(ro, nosuid, nodev, remount, bind, silent, relatime)                                                    -> /newroot/usr{/local,}/share/,

  mount,
  umount /,
  umount /oldroot/,

  pivot_root oldroot=/tmp/oldroot/ /tmp/,
  pivot_root oldroot=/newroot/ /newroot/,

  signal (receive) peer=evolution,

  network netlink raw,

  /proc/sys/kernel/overflowuid r,
  /proc/sys/kernel/overflowgid r,
  owner /proc/@{pid}/fd/ r,
  owner /proc/@{pid}/comm r,
  owner /proc/@{pid}/{u,g}id_map rw,
  owner /proc/@{pid}/setgroups rw,

  # would love to have Px here but we can not do that because of apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="evolution-bubblewrap" name="/usr/libexec/libwebkit2gtk-4_0-37/WebKitWebProcess" pid=12270 comm="bwrap" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="evolution-webkit"
  /usr/lib{,exec}/libwebkit2gtk-*/WebKitWebProcess                                   ix,
  /usr/bin/xdg-dbus-proxy                                                            ix,
  owner /run/user/*/webkitgtk/* rwlk,

  /bindfile* rwlk,
  /dev/ r,
  /sys/bus/ r,
  /sys/class/ r,

  owner @{HOME}/.local/share/gvfs-metadata/home r,
  owner @{HOME}/.local/share/gvfs-metadata/home-*.log r,
  owner @{HOME}/.cache/evolution/mail/*/.ev-store-summary rwl,

  owner @{HOME}/.cache/gstreamer-1.0/registry*             r,
  deny  @{HOME}/.cache/gstreamer-1.0/registry*             w,
  owner /newroot/dev/                                      w,
  owner /newroot/dev/video0                                w,
  owner /newroot/dev/console                               w,
  owner /newroot/dev/core                                  w,
  owner /newroot/dev/dri/                                  w,
  owner /newroot/dev/v4l/                                  w,
  owner /newroot/dev/video*                                w,
  owner /newroot/dev/fd                                    w,
  owner /newroot/dev/full                                  w,
  owner /newroot/dev/null                                  w,
  owner /newroot/dev/nvidia0                               w,
  owner /newroot/dev/nvidiactl                             w,
  owner /newroot/dev/ptmx                                  w,
  owner /newroot/dev/pts/                                  w,
  owner /newroot/dev/random                                w,
  owner /newroot/dev/shm/                                  w,
  owner /newroot/dev/snd/                                  w,
  owner /newroot/dev/stderr                                w,
  owner /newroot/dev/stdin                                 w,
  owner /newroot/dev/stdout                                w,
  owner /newroot/dev/tty                                   w,
  owner /newroot/dev/urandom                               w,
  owner /newroot/dev/zero                                  w,
  owner /newroot/etc/                                      w,
  /newroot/.flatpak-info                                   w,
  /.flatpak-info                                           r,
  owner /newroot/@{HOME}/                                  w,
  owner /newroot/@{HOME}/.cache/                           w,
  owner /newroot/@{HOME}/.cache/fontconfig/                w,
  owner /newroot/@{HOME}/.cache/gstreamer-1.0/             w,
  owner /newroot/@{HOME}/.config/fontconfig/               w,
  owner /newroot/@{HOME}/.config/gtk-3.0/                  w,
  owner /newroot/@{HOME}/.config/pulse/                    w,
  owner /newroot/@{HOME}/.config/                          w,
  owner /newroot/@{HOME}/.fonts/                           w,
  owner /newroot/@{HOME}/.local/share/gstreamer-1.0/       w,
  owner /newroot/@{HOME}/.local/share/                     w,
  owner /newroot/@{HOME}/.local/share/webkitgtk/databases/ w,
  owner /newroot/@{HOME}/.local/share/webkitgtk/           w,
  owner /newroot/@{HOME}/.local/                           w,
  owner /newroot/@{HOME}/.themes/                          w,
  owner /newroot/lib{64,}/                                 w,
  owner /newroot/proc/                                     w,
  owner /newroot/run/                                      w,
  owner /newroot/run/user/*/bus                            w,
  owner /newroot/run/user/*/gdm/                           w,
  owner /newroot/run/user/*/gdm/Xauthority                 w,
  owner /newroot/run/user/*/pulse/                         w,
  owner /newroot/run/user/                                 w,
  owner /newroot/run/user/*/                               w,
  owner /newroot/run/user/*/webkitgtk/                     w,
  owner /newroot/run/user/*/webkitgtk/dbus-proxy-*         w,
  owner /newroot/{srv/,}home/                              w,
  owner /newroot/srv/                                      w,
  owner /newroot/sys/block/                                w,
  owner /newroot/sys/bus/                                  w,
  owner /newroot/sys/class/                                w,
  owner /newroot/sys/devices/                              w,
  owner /newroot/sys/dev/                                  w,
  owner /newroot/sys/                                      w,
  owner /newroot/tmp/                                      w,
  owner /newroot/tmp/.X11-unix/                            w,
  owner /newroot/tmp/.X11-unix/X1                          w,
  owner /newroot/usr/                                      w,
  owner /newroot/usr/bin/                                  w,
  /newroot/usr/bin/                                        r,
  owner /newroot/usr/lib{64,}/                             w,
  owner /newroot/usr/libexec/pk-gstreamer-install          w,
  owner /newroot/usr/libexec/gst-install-plugins-helper    w,
  owner /newroot/usr/lib{exec,}/libwebkit2gtk-*/           w,
  owner /newroot/usr/lib{exec,}/                           w,
  owner /newroot/usr/local/lib{64,}/                       w,
  owner /newroot/usr/local/share/                          w,
  owner /newroot/usr/local/                                w,
  owner /newroot/usr/share/                                w,
  owner /newroot/var/                                      w,
  owner /newroot/var/cache/fontconfig/                     w,
  owner /newroot/var/cache/                                w,
  owner /newroot/var/run                                   w,
  owner /newroot/var/tmp                                   w,
  owner /proc/@{pid}/cmdline                               r,
  owner /proc/@{pid}/mountinfo                             r,
  owner /proc/@{pid}/smaps                                 r,
  owner /proc/@{pid}/statm                                 r,
  owner /                                                  r,
  owner /newroot/run/user/*/wayland-0                      w,
  owner /newroot/tmp/.X11-unix/X0                          w,

  owner /newroot/usr/bin/xdg-dbus-proxy rw,
  /newroot/dev/media0 rw,
  owner /newroot/run/user/*/webkitgtk/a11y-proxy*          w,
  owner /newroot/run/user/*/webkitgtk/bus                  w,
  owner /newroot/run/user/*/webkitgtk/at-spi-bus           w,
  owner /newroot/usr/libexec/gstreamer-1.0/                w,
  owner /newroot/usr/libexec/gstreamer-1.0/gst-ptp-helper  w,
  owner /newroot/usr/libexec/gstreamer-1.0/gst-plugin-scanner-x86_64 w,
  owner /newroot/@{HOME}/.local/share/@{CONFIGSUBDIRS}/           w,
  owner /newroot/@{HOME}/.local/share/@{CONFIGSUBDIRS}/mediakeys/ w,
  owner /newroot/@{HOME}/.local/share/@{CONFIGSUBDIRS}/mediakeys/v1/ w,

  owner /newroot/run/systemd/ w,
  owner /newroot/run/systemd/journal/ w,
  owner /newroot/run/systemd/journal/socket w,
  owner /newroot/run/systemd/journal/stdout w,

  owner /run/user/*/.flatpak/webkit-*/bwrapinfo.json rw,

  /sys/devices/virtual/dmi/id/chassis_type                 r,
  /sys/devices/pci0000:00/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}        r,

  /usr/share/icu/*/icu*.dat                                r,
  /usr/share/publicsuffix/*                                r,
  /usr/share/hyphen/                                       r,
  /usr/share/hyphen/*                                      r,

  /etc/nsswitch.conf                                       r,
  /etc/passwd                                              r,

  owner @{HOME}/.local/share/@{CONFIGSUBDIRS}/                   rw,

  # inherited from main process
  /proc/zoneinfo r,
  owner /proc/@{pid}/cgroup r,

  /sys/fs/cgroup/memory/{memory.memsw.limit_in_bytes,memory.usage_in_bytes,memory.limit_in_bytes} r,
  owner /sys/fs/cgroup/memory/user.slice/user-*.slice/user@*.service/{memory.memsw.limit_in_bytes,memory.usage_in_bytes,memory.limit_in_bytes} r,
  owner /sys/fs/cgroup/user.slice/user-*.slice/user@*.service/app.slice/app-gnome-org.gnome.Evolution-*.scope/memory.{current,max,high} r,
}

profile evolution-xdg-dbus-proxy {
  include <abstractions/base>
  /usr/bin/xdg-dbus-proxy rm,
  owner /run/user/*/webkitgtk/* rwlk,
}

profile evolution-webkit {
  include <abstractions/base>
  include <abstractions/X>
  include <abstractions/gnome>
  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/nvidia>
  include <abstractions/evolution>
  include <abstractions/openssl>
  include <abstractions/mesa>

  /usr/lib{,exec}/libwebkit2gtk-*/WebKitWebProcess rm,

  /proc/@{pid}/smaps r,

  deny /dev/ r,

  owner /proc/@{pid}/comm rw,
  owner /proc/@{pid}/task/*/comm rw,

  owner @{HOME}/.local/share/gvfs-metadata/home r,
  owner @{HOME}/.cache/gstreamer-1.0/registry* rw,
  /usr/lib{,exec}/gstreamer-1.0/gst-plugin-scanner-* Px -> evolution-gst-plugin-scanner,

  /sys/devices/pci0000:00/**/{uevent,vendor}                        r,

  owner /sys/fs/cgroup/memory/user.slice/user-*.slice/user@*.service/{memory.memsw.limit_in_bytes,memory.usage_in_bytes,memory.limit_in_bytes} r,
  owner /sys/fs/cgroup/user.slice/user-*.slice/user@*.service/app.slice/app-gnome-org.gnome.Evolution-*.scope/memory.{max,high,current} r,
}

profile evolution-webkit-network {
  include <abstractions/base>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/dconf>
  include <abstractions/mesa>

  /usr/lib{,exec}/libwebkit2gtk-*/WebKitNetworkProcess rm,

  /etc/hosts r,
  /etc/host.conf r,
  /etc/resolv.conf r,
  /{usr/,}etc/nsswitch.conf       r,
  /{usr/,}etc/gai.conf       r,
  /run/nscd/db* r,

  # seems for nscd
  network netlink raw,

  network inet  dgram,
  network inet6 dgram,

  network inet  stream,
  network inet6 stream,

  owner @{HOME}/.local/share/@{CONFIGSUBDIRS}/** rwlk,
  owner @{HOME}/.local/share/webkitgtk/** rwlk,
  owner @{HOME}/.cache/@{CONFIGSUBDIRS}/ rw,
  owner @{HOME}/.cache/@{CONFIGSUBDIRS}/** rwlk,
  owner @{HOME}/.local/share/gvfs-metadata/home r,
  owner @{HOME}/.local/share/gvfs-metadata/home-*.log r,

  /proc/zoneinfo r,
  owner /proc/@{pid}/cgroup r,
  owner /proc/@{pid}/statm r,
  owner /proc/@{pid}/smaps r,

  /sys/fs/cgroup/memory/memory.{memsw.limit_in_bytes,limit_in_bytes,usage_in_bytes} r,
  owner /sys/fs/cgroup/memory/user.slice/user-*.slice/user@*.service/{memory.memsw.limit_in_bytes,memory.usage_in_bytes,memory.limit_in_bytes} r,
  owner /sys/fs/cgroup/user.slice/user-*.slice/user@*.service/app.slice/app-gnome-org.gnome.Evolution-*.scope/memory.{current,max,high} r,

  # TODO: shouldnt this be in abstractions/dconf
  owner /run/user/*/dconf/user rw,

  /usr/share/publicsuffix/*                                r,
  /usr/share/glib-2.0/schemas/gschemas.compiled            r,
}

profile evolution-gst-plugin-scanner {
  include <abstractions/base>
  /usr/lib{,exec}/gstreamer-1.0/gst-plugin-scanner-* rm,
  deny /dev/ r,
}

profile evolution-alarm-notify {
  include <abstractions/base>
  include <abstractions/X>
  include <abstractions/gnome>
  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/openssl>

  /proc/@{pid}/statm r,

  /etc/passwd r,
  /{usr/,}etc/nsswitch.conf r,

  # TODO: shouldnt this be in abstractions/dconf
  owner /run/user/*/dconf/user rw,

  deny /dev/ r,

  /var/lib/nscd/passwd r,
  /usr/share/icu/*/icu*.dat r,
  /var/cache/gio-2.0/gnome-mimeapps.list r,
  owner @{HOME}/.local/share/@{CONFIGSUBDIRS}/datetime-formats.ini r,

  /usr/lib{,exec}/evolution-data-server/evolution-data-server/evolution-alarm-notify rm,
}

profile evolution-gio-launch-desktop {
  include <abstractions/base>
  include <abstractions/ubuntu-helpers>
  include <abstractions/ubuntu-browsers>

  /usr/bin/gio-launch-desktop rm,
  /usr/libexec/gio-launch-desktop rm,

  /opt/vivaldi/vivaldi Px,
  /opt/vivaldi-snapshot/vivaldi Px,
  /opt/vivaldi-snapshot/vivaldi-snapshot Px,

  include if exists <local/evolution-allowed-apps>
}
