abi <abi/4.0>,

include <tunables/global>

@{BROWSER} = code
@{APPNAME} = @{BROWSER}
@{APPDIR} = /usr/share/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SOCKET_PATH} = .org.chromium.Chromium
@{CONFIG_SUBDIR} = Code

profile vscode /usr/share/code/code {
  include <abstractions/chromium-common>
  include <abstractions/vscode>
  include <abstractions/consoles>

  signal (send) peer=vscode-*,
  ptrace        peer=vscode-*,

  signal        peer=lsb_release,
  ptrace        peer=lsb_release,

  deny /proc/version r,

  owner @{HOME}/.cache/typescript/ rw,
  owner @{HOME}/.cache/typescript/** rwlk,
  owner @{HOME}/.cache/Microsoft/ rw,
  owner @{HOME}/.cache/Microsoft/DeveloperTools/ rw,
  deny  @{HOME}/.cache/Microsoft/DeveloperTools/deviceid rw,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,
  owner /proc/@{pid}/task/*/comm rw,

  owner @{HOME}/.vscode/ r,
  owner @{HOME}/.vscode/** rwlk,

  owner /run/user/*/vscode* rw,

  @{APPDIR}/**/*.node m,

  /usr/lib{exec,}/git/git Ux,
  /usr/lib{exec,}/git/git-write-tree Ux,

  /usr/share/icu/*/icu*.dat r,

  deny @{HOME}/.fonts/.uuid      wl,
  deny /usr/share/fonts/**/.uuid wl,
  deny /etc/shells r,
  deny /{usr/,}bin/zsh x,

  deny @{HOME}/bin/      r,
  deny /usr/local/{s,}bin/ r,
  deny /usr/{s,}bin/ r,
  deny /opt/ r,

  deny /usr/bin/python* rx,

  deny /usr/bin/xdg-open rx,

  deny /proc/uptime r,

  /usr/bin/lsb_release Px -> lsb_release,

  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/ripgrep/bin/rg px,
  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/vsce-sign/bin/vsce-sign Px,

  deny @{APPDIR}/bin/code-tunnel x,

  include if exists <local/vscode>
}

profile vscode-rg @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/ripgrep/bin/rg flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/consoles>
  include if exists <local/vscode>

  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/ripgrep/bin/rg rm,
  /sys/kernel/mm/transparent_hugepage/enabled r,
  /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
  owner /proc/@{pid}/cgroup r,
  owner /proc/@{pid}/mountinfo r,

  # inherited file handles (no CLO_EXEC)
  @{APPDIR}/** r,
  @{APPDIR}/**/*.node m,

  owner /dev/shm/@{SOCKET_PATH}* rwlk,
  owner /proc/@{pid}/statm r,

  deny /tmp/@{SOCKET_PATH}* rwlk,
  deny @{HOME}/.config/Code/** rwlk,
  deny network netlink raw,

  signal (receive) peer=vscode,

  # inherited file handles
  owner @{HOME}/.config/@{CONFIG_SUBDIR}/logs/**/*.log a,

  #/ inherited file handles (no CLO_EXEC)
}


profile vscode-code-tunnel @{APPDIR}/bin/code-tunnel {
  include <abstractions/base>
  @{APPDIR}/bin/code-tunnel rm,
}

profile vscode-vsce-sign @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/vsce-sign/bin/vsce-sign {
  include <abstractions/base>
  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/@vscode/vsce-sign/bin/vsce-sign rm,
}
