abi <abi/4.0>,

include <tunables/global>

@{BROWSER} = chrome
@{APPNAME} = @{BROWSER}
@{APPDIR} = /opt/google/chrome-beta
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SANDBOX_PATH} = @{APPDIR}/@{BROWSER}-sandbox
@{NACL_HELPER_PATH} = @{APPDIR}/nacl_helper
@{SOCKET_PATH} = .com.google.Chrome
@{CONFIG_SUBDIR} = google-chrome-beta

profile google-chrome-beta @{APPDIR}/google-chrome-beta {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>

  @{APPDIR}/google-chrome-beta r,

  /usr/bin/mkdir    px -> chromium-helper-mkdir,
  /usr/bin/cat      px -> chromium-helper-cat,
  /usr/bin/touch    px -> chromium-helper-touch,
  /usr/bin/dirname  px -> chromium-helper-dirname,
  /usr/bin/readlink px -> chromium-helper-readlink,
  /usr/bin/which    px -> chromium-helper-which,

  /usr/bin/bash rm,

  # probably for the cat/redirect construct at the end
  owner /proc/@{pid}/fd/* w,

  @{BINARY_PATH} px,
}

profile google-chrome-beta-bin @{APPDIR}/@{BINARY_NAME} {
  include <abstractions/chromium-common>
  include <abstractions/google-chrome>

  @{SANDBOX_PATH}                   px,
  @{APPDIR}/chrome_crashpad_handler px,
  @{APPDIR}/google-chrome-beta      px,
  # we would love to use px, but it leads to NNP
  @{NACL_HELPER_PATH}        rmix,

  signal (send)    peer=google-chrome-beta-*,
  ptrace           peer=google-chrome-beta-*,
  signal (receive) peer=google-chrome-beta-crashpad-handler,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,

  include if exists <local/opt.google.chrome.chrome>
  include if exists <local/google-chrome-beta>
}

profile google-chrome-beta-sandbox @{APPDIR}/@{BROWSER}-sandbox {
  include <abstractions/base>
  include <abstractions/google-chrome>

  @{SANDBOX_PATH} rm,

  capability sys_chroot,
  capability sys_admin,
  capability setuid,
  capability setgid,
  capability sys_resource,

  signal (receive) peer=@{BINARY_PATH},
  @{BINARY_PATH} Px -> google-chrome-beta-sandboxed,
}

profile google-chrome-beta-sandboxed {
  include <abstractions/base>
  include <abstractions/google-chrome>
  include <abstractions/fonts>

  @{BINARY_PATH} rm,

  signal (receive) peer=@{BINARY_PATH},
  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,

  /proc/ r,
  /proc/@{pid}/statm r,

  owner /dev/shm/@{SOCKET_PATH}* rwlk,
}

profile google-chrome-beta-nacl-helper @{APPDIR}/nacl_helper {
  include <abstractions/base>
  include <abstractions/google-chrome>
  include <abstractions/fonts>

  @{NACL_HELPER_PATH} rm,

  signal (receive) peer=@{BINARY_PATH},

  /proc/ r,
  /proc/@{pid}/statm r,

  owner /dev/shm/@{SOCKET_PATH}* rwlk,
}

profile google-chrome-beta-crashpad-handler @{APPDIR}/chrome_crashpad_handler {
  include <abstractions/chromium-crash-handler>

  signal receive  peer=google-chrome-beta-bin,
  signal (send)   peer=google-chrome-beta-*,
  ptrace          peer=google-chrome-beta-*,
}