include <abstractions/base>
#
include <abstractions/p11-kit>
include <abstractions/p11-kit-files>
include <abstractions/openssl>
include <abstractions/ssl_certs>
include <abstractions/nssdb-user-files>
#
include <abstractions/fonts>
include <abstractions/gnome>
include <abstractions/dconf>
#
#
# It is not actually using opencl in most cases but this gives us device access
include <abstractions/X>
include <abstractions/opencl>
include <abstractions/dri-enumerate>
include <abstractions/nvidia>
include <abstractions/audio>

include <abstractions/consoles>
include <abstractions/mesa>
include <abstractions/vulkan>


# TODO: should probably be in some abstraction
/proc/sys/dev/i915/perf_stream_paranoid r,
# it seems it only has /usr/share/libdrm/amdgpu.ids, but i want to allow future files too.
/usr/share/libdrm/* r,
@{sys}/devices/**/{resource,irq,class,config,uevent,descriptors,manufacturer,product,busnum,devnum,serial,bConfigurationValue,idVendor,idProduct,interface,report_descriptor,boot_vga} r,
owner @{HOME}/.cache/nvidia/GLCache/** r,
deny @{HOME}/.cache/nvidia/GLCache/** w,

network inet  stream,
network inet6 stream,

network inet  dgram,
network inet6 dgram,

# seems for nscd
network netlink raw,

capability sys_admin,
capability sys_chroot,
capability sys_ptrace,

userns,

/{usr/,}etc/passwd r,
/{usr/,}etc/hosts r,
/{usr/,}etc/host.conf r,
/{usr/,}etc/nsswitch.conf       r,
/{usr/,}etc/gai.conf       r,
/{usr/,}etc/resolv.conf r,
/run/netconfig/resolv.conf r,
/run/systemd/resolve/* r,

/run/nscd/* r,
/var/lib/nscd/* r,

/usr/lib{64,}/electron/electron rm,
/usr/lib{64,}/electron/** r,

/usr/lib{64,}/electron/*.so rm,
/usr/lib{64,}/electron/swiftshader/libGLESv2.so rm,
/usr/lib{64,}/electron/swiftshader/libEGL.so rm,

@{APPDIR}/ r,
@{APPDIR}/** r,
@{APPDIR}/resources/app.asar.unpacked/node_modules/zkgroup/libzkgroup-x64.so rm,
@{APPDIR}/resources/**/*.node rm,
@{APPDIR}/node_modules/**/*.node rm,

/usr/share/icu/*/icud*.dat r,

# we deny access to the user file to avoid cache poisoning
deny owner @{HOME}/.{,cache/}fontconfig/** wl,
deny /var/cache/fontconfig/ w,

/etc/machine-id r,

owner /dev/shm/@{SOCKET_PATH}* rwlk,

owner @{HOME}/.config/@{CONFIG_SUBDIR}/ rw,
owner @{HOME}/.config/@{CONFIG_SUBDIR}/** rwlk,

owner @{HOME}/ r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/** rw,

owner @{HOME}/.cache/thumbnails/** r,

# TODO: find out how to deny reading all files in e.g. ~ so it wont create some useless warnings when you want to browse to ~/Downloads/
# where you can actually write.

# seems for finding things for the sandbox code.
/proc/ r,

owner /proc/@{pid}/cmdline r,
/proc/@{pid}/stat r,
owner /proc/@{pid}/statm r,
owner /proc/@{pid}/comm r,
owner /proc/@{pid}/fd/ r,
owner /proc/@{pid}/task/ r,
owner /proc/@{pid}/task/*/status r,

owner /proc/@{pid}/oom_score_adj w,

owner /proc/@{pid}/setgroups w,
owner /proc/@{pid}/gid_map w,
owner /proc/@{pid}/uid_map w,

owner /proc/@{pid}/mountinfo r,

/proc/sys/fs/inotify/max_user_watches r,
/proc/sys/kernel/yama/ptrace_scope r,

# why?
/sys/devices/virtual/tty/tty0/active r,

# TODO: shouldnt this be in abstractions/dconf
owner /run/user/*/dconf/user rw,

# it would need to be ix, and nobody wants that, and with px it runs into NNP
deny /usr/bin/xdg-settings x,

deny /etc/igfx_user_feature.txt w,
deny /etc/igfx_user_feature_next.txt w,
deny /etc/igfx_user_feature_report.txt w,
