# veilor-os AppArmor profile — Thorium browser (Chromium fork)
#
# Scope:
#   Confine the Thorium browser binary at /usr/bin/thorium. Thorium is a
#   Chromium derivative; it sandboxes its own renderer/GPU/utility processes,
#   but the *browser* process itself runs with the full user's permissions
#   unless an MAC layer scopes it down. This profile is that scope.
#
# Mode:
#   complain — log violations to audit.log but do NOT block. This is the
#   first-fit profile; the user is expected to refine it from observed
#   denials before flipping to enforce. See `aa-logprof` to convert audit
#   denials into rule additions.
#
# Manual enable:
#   sudo install -m 0644 scripts/apparmor/usr.bin.thorium /etc/apparmor.d/
#   sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thorium
#   sudo aa-complain /etc/apparmor.d/usr.bin.thorium       # log only
#   sudo aa-enforce  /etc/apparmor.d/usr.bin.thorium       # block
#
# NOT enabled in kickstart by default. v0.5 work.

#include <tunables/global>

profile thorium /usr/bin/thorium flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/audio>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/X>

  # ---- network: outbound HTTP/HTTPS only ----
  network inet  stream,
  network inet6 stream,
  network inet  dgram,        # DNS resolution
  network inet6 dgram,
  network netlink raw,        # NetworkManager state queries
  deny network raw,
  deny network packet,
  deny network bluetooth,
  deny network can,
  deny network rds,
  deny network sctp,

  # ---- binary + libs ----
  /usr/bin/thorium                     mr,
  /usr/lib/thorium/**                  mr,
  /usr/share/thorium/**                r,
  /opt/thorium/**                      mr,
  /etc/thorium/**                      r,

  # ---- per-user state ----
  owner @{HOME}/.config/thorium/**            rwk,
  owner @{HOME}/.cache/thorium/**             rwk,
  owner @{HOME}/.local/share/thorium/**       rwk,

  # ---- file pickers: only Downloads is writable ----
  owner @{HOME}/Downloads/                    rw,
  owner @{HOME}/Downloads/**                  rwk,
  owner @{HOME}/Documents/                    r,
  owner @{HOME}/Documents/**                  r,
  owner @{HOME}/Pictures/                     r,
  owner @{HOME}/Pictures/**                   r,

  # ---- /proc: own process only, deny memory peeking ----
  owner /proc/@{pid}/**                       r,
  deny  /proc/*/mem                           rwk,
  deny  /proc/*/maps                          r,
  deny  /proc/sys/kernel/**                   w,

  # ---- ptrace: forbidden ----
  deny ptrace,
  deny capability sys_ptrace,

  # ---- kernel: no module load, no /dev/kmem, no /dev/mem ----
  deny capability sys_module,
  deny /dev/kmem    rwk,
  deny /dev/mem     rwk,
  deny /dev/port    rwk,
  deny /sys/kernel/** w,

  # ---- temp ----
  /tmp/                       r,
  owner /tmp/**               rwk,
  /var/tmp/                   r,
  owner /var/tmp/**           rwk,

  # ---- system info read-only ----
  /etc/machine-id             r,
  /etc/os-release             r,
  /etc/localtime              r,
  /sys/devices/system/cpu/**  r,
  /sys/class/net/**           r,

  # ---- chrome sandbox helper (setuid/SUID-like child needs unconfined) ----
  /usr/lib/thorium/chrome-sandbox    Cx -> sandbox,
  /usr/bin/xdg-open                  Pix,

  profile sandbox {
    #include <abstractions/base>
    capability sys_admin,
    capability sys_chroot,
    capability sys_ptrace,
    /usr/lib/thorium/chrome-sandbox    mr,
    /usr/lib/thorium/**                mrix,
    /proc/*/setgroups                  w,
    /proc/*/uid_map                    w,
    /proc/*/gid_map                    w,
  }
}