# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2012-2013 Collabora Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

###
# <abstractions/gsettings>: full read/write access to dconf and GSettings
#
# Allow full read/write access to GSettings and dconf. This cannot restrict
# accesses to a single GSettings schema.
#
# Status: Apertis-specific, necessary until T292 is resolved
# Privilege level: elevated
# Typical users: all app-bundles, temporarily
# Dependencies: <tunables/global>
###

    # All write access is mediated through the dbus service
    # TODO: why do we allow executing it? It should be D-Bus-activated
    /usr/lib/dconf/dconf-service		Px,

    # Reads do not go through dconf-service
    owner @{HOME}/.config/dconf/		r,
    owner @{HOME}/.config/dconf/user		r,

    # $XDG_RUNTIME_DIR/dconf is used by the reader for storing an mmaped
    # copy of the database.
    # Write access here is equivalent to read access for the process.
    owner /run/user/[0-9]*/dconf/		rw,
    # This rule matches the files "user" and "user.XXXXX". The latter is a
    # random temp file written by dconf, which is then renamed on top of "user".
    owner /run/user/[0-9]*/dconf/user*		rw,

    # ~/.cache/ is the fallback directory for g_get_user_runtime_dir()
    # if XDG_RUNTIME_DIR is unset. If something uses this, it's scrubbing
    # the environment, and should be fixed.
    audit deny owner @{HOME}/.cache/dconf/	rw,
    audit deny owner @{HOME}/.cache/dconf/*	rw,

    # Read access to schemas is always fine
    /usr/share/glib-*/schemas/			r,
    /usr/share/glib-*/schemas/**		r,

    # receive Notify D-Bus signals
    dbus (receive) bus=session peer=(label=/usr/lib/dconf/dconf-service),

    # Send Change method calls
    dbus (send) bus=session peer=(label=/usr/lib/dconf/dconf-service),
