# veilor-os AppArmor profile — LM Studio (local LLM runner)
#
# Scope:
#   Confine LM Studio's binary. LM Studio loads arbitrary GGUF/safetensors
#   weights and exposes an OpenAI-compatible HTTP server on :1234. The
#   binary itself is closed-source — we don't trust it with the full home
#   directory.
#
# Mode:
#   complain initially. Flip to enforce once observed denials are reviewed.
#
# Manual enable:
#   sudo install -m 0644 scripts/apparmor/usr.local.bin.lm-studio /etc/apparmor.d/
#   sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.lm-studio
#   sudo aa-complain /etc/apparmor.d/usr.local.bin.lm-studio
#   sudo aa-enforce  /etc/apparmor.d/usr.local.bin.lm-studio
#
# NOT enabled in kickstart by default. v0.5 work.

#include <tunables/global>

profile lm-studio /usr/local/bin/lm-studio flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/dbus-session>
  #include <abstractions/freedesktop.org>
  #include <abstractions/X>
  #include <abstractions/fonts>

  # ---- network: HTTP server :1234 + outbound model downloads ----
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
  deny   network raw,
  deny   network packet,
  deny   network bluetooth,

  # ---- binary + electron runtime (LM Studio is Electron-based) ----
  /usr/local/bin/lm-studio                    mr,
  /opt/lm-studio/**                           mr,
  /usr/lib/lm-studio/**                       mr,

  # ---- model weights + metadata ----
  owner @{HOME}/.lmstudio/                    rw,
  owner @{HOME}/.lmstudio/**                  rwk,
  owner @{HOME}/.cache/lm-studio/**           rwk,
  owner @{HOME}/.config/LMStudio/**           rwk,

  # ---- temp ----
  /tmp/                                       r,
  owner /tmp/**                               rwk,
  /var/tmp/                                   r,
  owner /var/tmp/**                           rwk,

  # ---- GPU device nodes (CUDA / ROCm / Vulkan) ----
  /dev/dri/                                   r,
  /dev/dri/**                                 rw,
  /dev/nvidia*                                rw,
  /dev/nvidiactl                              rw,
  /dev/nvidia-uvm                             rw,
  /dev/nvidia-uvm-tools                       rw,
  /dev/kfd                                    rw,
  /dev/shm/**                                 rwk,

  # ---- system info ----
  /etc/machine-id                             r,
  /etc/os-release                             r,
  /etc/localtime                              r,
  /sys/devices/system/cpu/**                  r,
  /sys/class/drm/**                           r,
  /proc/cpuinfo                               r,
  /proc/meminfo                               r,
  /proc/stat                                  r,

  # ---- /proc: own process only ----
  owner /proc/@{pid}/**                       r,
  deny  /proc/*/mem                           rwk,

  # ---- forbidden ----
  deny ptrace,
  deny capability sys_ptrace,
  deny capability sys_module,
  deny capability sys_rawio,
  deny /dev/kmem        rwk,
  deny /dev/mem         rwk,
  deny /dev/port        rwk,
  deny /sys/kernel/**   w,
  deny /etc/shadow      r,
  deny @{HOME}/.ssh/**  rwk,
  deny @{HOME}/.gnupg/** rwk,

  # ---- xdg / browser handoff for "Open in browser" UI button ----
  /usr/bin/xdg-open                           Pix,
}