abi <abi/4.0>,

include <tunables/global>

@{BROWSER} = teams
@{APPNAME} = @{BROWSER}
@{APPDIR} = /usr/share/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SOCKET_PATH} = .org.chromium.Chromium
@{CONFIG_SUBDIR} = "Microsoft/Microsoft Teams"

profile teams /usr/share/teams/teams {
  include <abstractions/chromium-common>
  include <abstractions/teams>
  include <abstractions/consoles>

  signal (send) peer=teams//*,
  ptrace        peer=teams//*,

  signal        peer=lsb_release,
  ptrace        peer=lsb_release,

  ptrace        peer=teams,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,
  owner /proc/@{pid}/task/*/comm rw,

  owner /run/user/*/teams* rw,

  owner @{HOME}/.config/teams/ rw,
  owner @{HOME}/.config/teams/** rw,

  @{APPDIR}/**/*.node m,

  /usr/share/icu/*/icu*.dat r,

  # also name resolving?
  network netlink dgram,

  deny /sys/devices/system/cpu/cpu*/ r,
  deny /proc/sys/kernel/ostype r,
  deny /proc/sys/kernel/osrelease r,
  deny /proc/version r,

  deny /usr/bin/locale x, # This is super ugly because the file descriptors are not cloexec and it would inherit all the parent FDs

  deny @{HOME}/.fonts/.uuid      wl,
  deny /usr/share/fonts/**/.uuid wl,

  /usr/bin/lsb_release Px -> lsb_release,

  # this should probably be in some abstraction
  /var/cache/libx11/compose/* r,
  deny /var/cache/libx11/compose/* wlk,

  /sys/devices/**/net/*/speed r,

  /dev/shm/shm-@{pid}-* rw,

  deny @{HOME}/.config/autostart/teams.desktop rw,

  include if exists <local/teams>
}
