# vim:syntax=apparmor abi , include profile deepin-wine6 /opt/deepin-wine6-stable/bin/* { include include include include include include include include network inet stream, network inet6 stream, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, /opt/deepin-wine6-stable/** rmix, /etc/fstab r, /usr/share/terminfo/** r, /tmp/.wine-*/ rw, /tmp/.wine-*/server-*/ rw, /tmp/.wine-*/server-*/* rwmk, owner @{HOME}/ r, owner @{HOME}/.wine/ rw, owner @{HOME}/.wine/** rwmk, owner @{HOME}/.local/share/icons/hicolor/** rwk, owner @{HOME}/.local/share/applications/** rwk, owner @{HOME}/.config/menus/applications-merged/wine-* rwk, owner @{HOME}/.local/share/desktop-directories/wine-* rwk, # Mostly winemenubuilder stuff deny /usr/bin/update-mime-database x, deny /usr/bin/update-desktop-database x, deny @{HOME}/.local/share/mime/** w, # For winedbg ##deny capability sys_ptrace, # Hardware /etc/udev/udev.conf r, /run/udev/data/* r, /run/udev/queue.bin r, /sys/devices/pci** r, /sys/devices/system/** r, /dev r, /dev/video* rw, /dev/tty* rw, /dev/pts/* r, /dev/hidraw2 rw, # For initial ~/.wine creation/updates only / r, /usr/share/wine/** r, owner @{HOME}/.cache/ r, owner @{HOME}/.cache/wine/ rwk, owner @{HOME}/.cache/wine/** rwk, # Actual apps/games owner /proc/@{pid}/mounts r, owner @{HOME}/.cups/ r, /etc/machine-id r, /mnt/iso/ r, /mnt/iso/** r, # Deepin wine @{PROC}/uptime r, /bin/dirname ix, /bin/uname ix, /usr/bin/ntlm_auth ix, owner @{HOME}/.deepinwine/** mrwkl, owner @{HOME}/Documents/** mrwkl, owner @{HOME}/Downloads/** mrwkl, owner @{HOME}/** r, ##/sys/** r, ##/dev/** r, @{PROC}/@{pid}/** r, /usr/share/fonts/** mrl, ptrace (trace, tracedby) peer=deepin-wine6, # Wechat /opt/apps/com.qq.weixin.deepin/** rmix, # Wecom (Wechat work) /opt/apps/com.qq.weixin.work.deepin/** rmix, # Site-specific additions and overrides. See local/README for details. include if exists }