# AppArmor profile for The Foundry Nuke 15.2v6
# Blocks external network access while allowing localhost frameserver communication
#
# Installation:
#   sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
#   sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
#   sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Testing (complain mode - logs violations without blocking):
#   sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Check status:
#   sudo aa-status | grep Nuke
#
# View denials:
#   sudo journalctl -xe | grep apparmor | grep Nuke
#
# Disable:
#   sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
#

#include <tunables/global>

/home/nicholai/Nuke15.2v6/Nuke15.2 flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/X>
  #include <abstractions/freedesktop.org>
  #include <abstractions/mesa>
  #include <abstractions/dri-common>
  #include <abstractions/opengl>

  # Nuke installation directory
  /home/nicholai/Nuke15.2v6/** r,
  /home/nicholai/Nuke15.2v6/Nuke15.2 rix,
  /home/nicholai/Nuke15.2v6/Nuke rix,
  /home/nicholai/Nuke15.2v6/crashpad_handler rix,

  # User Nuke directories
  owner @{HOME}/.nuke/** rw,
  owner @{HOME}/Documents/nuke/** rw,
  owner @{HOME}/.config/Nuke/** rw,
  owner @{HOME}/.local/share/Nuke/** rw,

  # Temporary files
  owner /tmp/** rw,
  owner /var/tmp/** rw,
  /tmp/** rw,
  /var/tmp/** rw,

  # Shared memory for frameserver
  owner /dev/shm/** rw,
  /dev/shm/** rw,

  # Process communication (frameserver)
  unix (send, receive) type=stream,
  unix (send, receive) type=dgram,

  # Allow reading project files and footage
  # Add specific paths as needed for your workflow
  owner @{HOME}/** r,
  /media/** r,
  /mnt/** r,

  # System libraries and dependencies
  /usr/lib/** rm,
  /usr/share/** r,
  /etc/** r,
  /proc/** r,
  /sys/** r,
  /dev/null rw,
  /dev/zero r,
  /dev/urandom r,
  /dev/dri/** rw,

  # GPU access (required for rendering)
  /dev/nvidia* rw,
  /dev/dri/card* rw,
  /dev/dri/renderD* rw,

  # Allow creating child processes (frameserver, etc.)
  /home/nicholai/Nuke15.2v6/Nuke15.2 px,
  /home/nicholai/Nuke15.2v6/Nuke px,

  # Network rules - CRITICAL SECTION FOR BLOCKING TELEMETRY

  # Allow TCP and UDP (needed for frameserver)
  network inet stream,
  network inet6 stream,
  network unix stream,
  network unix dgram,

  # BLOCK: Deny all external connections (only allow localhost)
  deny network inet to !127.0.0.0/8,
  deny network inet6 to !::1,

  # BLOCK: Explicitly deny known telemetry endpoints
  deny network inet to 52.50.232.31,    # learn.foundry.com
  deny network inet to 52.205.16.9,      # api.honeycomb.io

  # Signal permissions (needed for process management)
  signal (send) set=(term, kill),
  signal (receive) set=(term, kill, hup),

  # Capabilities
  capability sys_nice,
  capability ipc_lock,
}

# Alternative profile name (if using /Nuke instead of /Nuke15.2)
/home/nicholai/Nuke15.2v6/Nuke flags=(complain) {
  #include <tunables/global>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/X>
  #include <abstractions/freedesktop.org>
  #include <abstractions/mesa>
  #include <abstractions/opengl>

  # Same rules as above
  /home/nicholai/Nuke15.2v6/** r,
  /home/nicholai/Nuke15.2v6/Nuke rix,
  /home/nicholai/Nuke15.2v6/Nuke15.2 rix,
  /home/nicholai/Nuke15.2v6/crashpad_handler rix,

  owner @{HOME}/.nuke/** rw,
  owner @{HOME}/Documents/nuke/** rw,
  owner @{HOME}/.config/Nuke/** rw,
  owner @{HOME}/.local/share/Nuke/** rw,

  owner /tmp/** rw,
  owner /var/tmp/** rw,
  owner /dev/shm/** rw,

  unix (send, receive) type=stream,
  unix (send, receive) type=dgram,

  owner @{HOME}/** r,
  /media/** r,
  /mnt/** r,

  /usr/lib/** rm,
  /usr/share/** r,
  /etc/** r,
  /proc/** r,
  /sys/** r,
  /dev/null rw,
  /dev/zero r,
  /dev/urandom r,
  /dev/dri/** rw,
  /dev/nvidia* rw,

  # Network blocking
  network inet stream,
  network inet6 stream,
  network unix stream,
  network unix dgram,

  deny network inet to !127.0.0.0/8,
  deny network inet6 to !::1,
  deny network inet to 52.50.232.31,
  deny network inet to 52.205.16.9,

  signal (send) set=(term, kill),
  signal (receive) set=(term, kill, hup),

  capability sys_nice,
  capability ipc_lock,
}

# Profile for crashpad_handler (crash reporting subprocess)
# This should be blocked from network entirely
/home/nicholai/Nuke15.2v6/crashpad_handler {
  #include <abstractions/base>

  /home/nicholai/Nuke15.2v6/crashpad_handler rix,

  # Allow writing crash dumps locally
  owner @{HOME}/.nuke/** rw,
  owner @{HOME}/Documents/nuke/** rw,
  owner /tmp/** rw,

  /proc/** r,
  /sys/** r,

  # BLOCK ALL NETWORK (no crash reporting to sentry.foundry.com)
  deny network inet,
  deny network inet6,
}

# Installation Instructions:
#
# 1. Install AppArmor (if not already installed):
#    Arch: sudo pacman -S apparmor
#    Ubuntu: sudo apt install apparmor apparmor-utils
#
# 2. Enable AppArmor:
#    sudo systemctl enable --now apparmor.service
#
# 3. Copy this profile:
#    sudo cp nuke.profile /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
#
# 4. Load the profile in COMPLAIN mode first (for testing):
#    sudo apparmor_parser -r /etc/apparmor.d/home.nicholai.Nuke15.2v6.Nuke15.2
#    sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# 5. Run Nuke and test functionality:
#    - Check rendering works
#    - Verify frameserver works
#    - Test file loading/saving
#
# 6. Check for violations:
#    sudo journalctl -xe | grep apparmor | grep Nuke
#    sudo aa-logprof  # Interactive tool to adjust profile
#
# 7. If everything works, switch to ENFORCE mode:
#    sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# 8. Verify enforcement:
#    sudo aa-status | grep Nuke
#
# Troubleshooting:
#
# - If Nuke won't start:
#   Check violations: sudo journalctl -xe | grep apparmor | grep Nuke
#   Switch to complain mode: sudo aa-complain /home/nicholai/Nuke15.2v6/Nuke15.2
#
# - If rendering fails:
#   May need to add specific file paths for footage/projects
#   Update profile with your project directories
#
# - To disable temporarily:
#   sudo aa-disable /home/nicholai/Nuke15.2v6/Nuke15.2
#
# - To re-enable:
#   sudo aa-enforce /home/nicholai/Nuke15.2v6/Nuke15.2
#
# Notes:
#
# - This profile starts in complain mode (flags=(complain)) for safety
# - Network blocking rules allow localhost (127.0.0.0/8) for frameserver
# - All external IPs are denied, including known Foundry endpoints
# - Crashpad handler is completely blocked from network access
# - Profile may need adjustment for specific workflows (NFS, render farms, etc.)