abi <abi/4.0>,

include <tunables/global>

@{BROWSER} = vivaldi
@{APPNAME} = @{BROWSER}-snapshot
@{APPDIR} = /opt/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}-bin
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SANDBOX_PATH} = @{APPDIR}/@{BROWSER}-sandbox
@{VARDIR}       = /var@{APPDIR}
@{SOCKET_PATH}  = .com.vivaldi
@{CONFIG_SUBDIR} = @{APPNAME}

profile vivaldi-snapshot @{APPDIR}/vivaldi-snapshot {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/vivaldi-media-codecs>

  @{APPDIR}/vivaldi-snapshot r,

  /usr/bin/mkdir    px -> vivaldi-helper-mkdir,
  /usr/bin/cat      px -> vivaldi-helper-cat,
  /usr/bin/touch    px -> vivaldi-helper-touch,
  /usr/bin/dirname  px -> vivaldi-helper-dirname,
  /usr/bin/readlink px -> vivaldi-helper-readlink,
  /usr/bin/which    px -> vivaldi-helper-which,
  /usr/bin/ldd      px -> vivaldi-helper-ldd,
  /usr/bin/head     px -> vivaldi-helper-head,
  /usr/bin/sed      px -> vivaldi-helper-sed,

  /usr/bin/bash rm,

  # TODO: update-ffmpeg update-widevine

  # probably for the cat/redirect construct at the end
  owner /proc/@{pid}/fd/* w,

  @{BINARY_PATH} px,
}

profile vivaldi-snapshot-bin @{APPDIR}/vivaldi-bin {
  include <abstractions/chromium-common>
  include <abstractions/vivaldi>

  @{APPDIR}/vivaldi-snapshot  px,

  @{SANDBOX_PATH}             px,
  @{APPDIR}/{chrome_,}crashpad_handler  px,

  signal (send)    peer=vivaldi-snapshot-*,
  ptrace           peer=vivaldi-snapshot-*,
  signal (receive) peer=vivaldi-snapshot-crashpad-handler,

  include if exists <local/opt.vivaldi-snapshot.vivaldi-bin>
  include if exists <local/vivaldi-snapshot-bin>
}

profile vivaldi-snapshot-sandbox {
  include <abstractions/base>
  include <abstractions/vivaldi>

  @{SANDBOX_PATH} rm,

  capability sys_chroot,
  capability sys_admin,
  capability setuid,
  capability setgid,
  capability sys_resource,

  signal (receive) peer=vivaldi-snapshot-bin,
  @{BINARY_PATH} Px -> vivaldi-snapshot-sandboxed,
}

profile vivaldi-snapshot-sandboxed {
  include <abstractions/base>
  include <abstractions/vivaldi>
  include <abstractions/fonts>

  @{BINARY_PATH} rm,

  signal (receive) peer=vivaldi-snapshot-bin,

  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,

  /proc/ r,
  /proc/@{pid}/statm r,

  owner /dev/shm/@{SOCKET_PATH}.* rwlk,
}

profile vivaldi-snapshot-crashpad-handler @{APPDIR}/{chrome_,}crashpad_handler {
  include <abstractions/chromium-crash-handler>
  include <abstractions/vivaldi-media-codecs>

  signal receive  peer=vivaldi-snapshot-bin,
  signal (send)   peer=vivaldi-snapshot-*,
  ptrace          peer=vivaldi-snapshot-*,
}
