#
# Example usage for an unconfined app 'appname'. This provides no protection
# or configuration.
# $ aa-easyprof --template=unconfined \
#               --profile-name=com.example.appname \
#               "/usr/share/appname/**"
#
###ENDUSAGE###
# vim:syntax=apparmor

#include <tunables/global>

# Define vars with unconfined since autopilot rules may reference them
###VAR###

# TODO: when v3 userspace lands, use:
# ###PROFILEATTACH### (unconfined) {}

# v2 compatible wildly permissive profile
###PROFILEATTACH### (attach_disconnected,mediate_deleted) {
  capability,
  network,
  / rwkl,
  /** rwlkm,
  /** pux,

  # Special exception for QtWebEngineProcess.
  # Chromium side of QWE executes QtWebEngineProcess with so-called "no new
  # privs" flag, which means it cannot gain "new privileges" through profile
  # transition or similar. But as AppArmor now ships a profile for
  # QtWebEngineProcess (to allow userns), we have to override that using `ix`.
  #
  # Note: there's @{multiarch}, but it contains wildcard and because of [^1] we
  # can't use wildcard when there's less specific wildcard rule. So I've decided
  # not to just list every architecture because that will just clutter up this
  # file.
  #
  # [^1]: https://gitlab.com/apparmor/apparmor/-/issues/93

  /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess ix,
  /usr/lib/arm-linux-gnueabihf/qt5/libexec/QtWebEngineProcess ix,
  /usr/lib/aarch64-linux-gnu/qt5/libexec/QtWebEngineProcess ix,

  mount,
  remount,
  umount,
  dbus,
  signal,
  ptrace,
  unix,
  pivot_root,
}
