include <abstractions/base>
#
include <abstractions/p11-kit>
include <abstractions/p11-kit-files>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/nssdb-user-files>
#
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/gtk>
include <abstractions/dconf>
#
include <abstractions/keepassxc-proxy-chromium-in-browser>
include <abstractions/xdg-tools-chromium-in-browser>
#
# It is not actually using opencl in most cases but this gives us device access
include <abstractions/X>
include <abstractions/opencl>
include <abstractions/dri-enumerate>
include <abstractions/nvidia>
include <abstractions/audio>
include <abstractions/mesa>
include <abstractions/vulkan>
include <abstractions/cups-client>

# TODO: should probably be in some abstraction
/proc/sys/dev/i915/perf_stream_paranoid r,
# it seems it only has /usr/share/libdrm/amdgpu.ids, but i want to allow future files too.
/usr/share/libdrm/* r,

network inet  stream,
network inet6 stream,

network inet  dgram,
network inet6 dgram,

# seems for nscd
network netlink raw,

capability sys_admin,
capability sys_chroot,
capability sys_ptrace,

userns,

/{usr/,}etc/passwd r,
/{usr/,}etc/hosts r,
/{usr/,}etc/host.conf r,
/{usr/,}etc/nsswitch.conf       r,
/{usr/,}etc/gai.conf       r,
/{usr/,}etc/resolv.conf r,
/run/netconfig/resolv.conf r,
/run/systemd/resolve/* r,

/etc/machine-id r,

/etc/opt/chrome/ r,
deny /etc/opt/chrome/ w,
/etc/chromium/** r,
/etc/chromium/policies/{managed,recommended}/ r,

/run/nscd/* r,
/var/lib/nscd/* r,

# this is later in abstractions but we need it for 15.1
#
/usr/share/drirc.d/ r,

# this could be for pipewire screen sharing
/usr/share/pipewire/** r,

# this should probably be in abstractions/nvidia
/usr/share/egl/egl_external_platform.d/ r,
/usr/share/egl/egl_external_platform.d/* r,

# TODO: make this Px too
# making this a Px rule requires the "no new privs" fix for the kernel part.
# which is scheduled for for kernel 5.8
@{BINARY_PATH} rmix,

ptrace peer=plasma-browser-integration-host,
signal peer=plasma-browser-integration-host,
/usr/bin/plasma-browser-integration-host Px -> plasma-browser-integration-host,

# we deny access to the user file to avoid cache poisoning
deny owner @{HOME}/.{,cache/}fontconfig/** wl,
deny /var/cache/fontconfig/ w,

owner @{HOME}/.cache/nvidia/GLCache/** r,
deny @{HOME}/.cache/nvidia/GLCache/** w,

owner /dev/shm/@{SOCKET_PATH}* rwlk,
owner /tmp/@{SOCKET_PATH}.* rwlk,

owner @{HOME}/.config/@{CONFIG_SUBDIR}/ rw,
owner @{HOME}/.config/@{CONFIG_SUBDIR}/** rwlk,
owner @{HOME}/.cache/@{CONFIG_SUBDIR}/   rw,
owner @{HOME}/.cache/@{CONFIG_SUBDIR}/** rwlk,
owner @{HOME}/.cache/@{CONFIG_SUBDIR}/** rwlk,
owner @{HOME}/.local/share/.@{BROWSER}_reporting_data rwlk,


owner @{HOME}/.config/google-chrome/PepperFlash/*/libpepflashplayer.so rm,
owner @{HOME}/.config/google-chrome/PepperFlash/latest-component-updated-flash r,
owner @{HOME}/.config/google-chrome/WidevineCdm/latest-component-updated-widevine-cdm r,
owner @{HOME}/.config/google-chrome/Dictionaries/*.bdic r,

owner @{HOME}/.config/@{CONFIG_SUBDIR}/WidevineCdm/[0-9].*/_platform_specific/linux_x64/libwidevinecdm.so rm,

owner @{HOME}/.cache/thumbnails/** r,

owner @{HOME}/.config/user-dirs.dirs r,

# TODO: shouldnt this be in abstractions/dconf
owner /run/user/*/dconf/user rw,
owner /run/user/*/dconf/ rw,

# TODO: shouldnt this be in abstractions/nvidia ?
owner @{HOME}/.nv/** rwlk,
owner /tmp/.gl* rm,

owner @{HOME}/ r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/** rw,

#TODO: include <abstractions/private-files>

deny /usr/lib/adobe-flashplugin/ rwlk,

owner /proc/@{pid}/setgroups rw,
owner /proc/@{pid}/uid_map w,
owner /proc/@{pid}/gid_map w,
owner /proc/@{pid}/comm r,
owner /proc/@{pid}/clear_refs rw,
/proc/@{pid}/statm r,
owner /proc/@{pid}/task/ r,
/proc/@{pid}/task/*/status r,
owner /proc/@{pid}/mountinfo r,
owner /proc/@{pid}/limits r,

owner /proc/@{pid}/task/*/comm rw,
owner /proc/@{pid}/task/*/status r,
/proc/sys/kernel/yama/ptrace_scope r,

/dev/ r,
# For WebRTC camera access (LP: #1665535)
/dev/video[0-9]* rw,
/dev/bus/usb/ r,
/dev/bus/usb/[0-9]*/[0-9]* rw,
/proc/@{pid}/smaps_rollup r,


/proc/ r,
/proc/modules r,
/proc/vmstat r,

/proc/sys/fs/inotify/max_user_watches r,
@{sys}/devices/system/cpu/{kernel_max,present} r,
@{sys}/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/tty/tty0/active r,
@{sys}/devices/**/{resource,irq,class,config,uevent,descriptors,manufacturer,product,busnum,devnum,serial,bConfigurationValue,idVendor,idProduct,interface,report_descriptor,boot_vga} r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/bus/pci/devices/ r,
/run/udev/data/* r,
/selinux/ r,
/dev/hidraw* rw,
/proc/tty/drivers r,
/dev/ttyACM? rw,
/dev/bus/usb/*/* rw,

/dev/shm/ r,
# deny /usr/bin/* x,
# deny /bin/* x,
#

/usr/share/chromium/extensions/ r,
/usr/share/chromium/extensions/** r,

deny /etc/igfx_user_feature.txt w,
deny /etc/igfx_user_feature_next.txt w,
deny /etc/igfx_user_feature_report.txt w,
deny @{HOME}/.fonts/.uuid w,

/usr/bin/man Px -> chromium_man_browser,