From 7461536d52023cd8d6cf8fda0af42095e38130be Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Thu, 17 Apr 2025 15:42:51 -0700
Subject: [PATCH] profiles: add a profile for notify-send

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/notify-send | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 profiles/apparmor.d/notify-send

diff --git a/profiles/apparmor.d/notify-send b/profiles/apparmor.d/notify-send
new file mode 100644
index 000000000..f24fbe091
--- /dev/null
+++ b/profiles/apparmor.d/notify-send
@@ -0,0 +1,21 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile notify-send /usr/bin/notify-send {
+    include <abstractions/base>
+    include <abstractions/dbus-session-strict>
+
+    /usr/bin/notify-send mr,
+
+    # No idea why notify-send wants cgroup info but it works fine without it
+    deny /proc/@{pid}/cgroup r,
+    
+    dbus (send)
+        bus=session
+        path=/org/freedesktop/Notifications
+        interface=org.freedesktop.Notifications
+        member={GetServerInformation,Notify},
+
+    include if exists <local/notify-send>
+}