abi <abi/4.0>,

include <tunables/global>

@{BROWSER} = codium
@{APPNAME} = @{BROWSER}
@{APPDIR} = /usr/share/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SANDBOX_PATH} = @{APPDIR}/chrome-sandbox
@{SOCKET_PATH} = .org.chromium.Chromium
@{CONFIG_SUBDIR} = Code-OSS

profile vscodium /usr/share/codium/codium {
  include <abstractions/chromium-common>
  include <abstractions/vscodium>
  include <abstractions/consoles>

  @{SANDBOX_PATH}     px,
  signal (send) peer=vscodium-*,
  ptrace        peer=vscodium-*,

  signal        peer=lsb_release,
  ptrace        peer=lsb_release,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,

  owner @{HOME}/.vscode-oss/ r,
  owner @{HOME}/.vscode-oss/** rwlk,

  owner /run/user/*/vscode* rw,

  @{APPDIR}/**/*.node m,

  /usr/lib{exec,}/git/git Ux,
  /usr/lib{exec,}/git/git-write-tree Ux,

  /usr/share/icu/*/icu*.dat r,

  deny @{HOME}/.fonts/.uuid      wl,
  deny /usr/share/fonts/**/.uuid wl,

  /usr/bin/lsb_release Px -> lsb_release,

  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/vscodium-ripgrep/bin/rg px,

  include if exists <local/vscodium>
}

profile vscodium-rg @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/vscodium-ripgrep/bin/rg {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/consoles>
  include if exists <local/vscodium>

  @{APPDIR}/resources/app/node_modules{,.asar.unpacked}/vscodium-ripgrep/bin/rg rm,

  # inherited file handles (no CLO_EXEC)
  @{APPDIR}/** r,
  @{APPDIR}/**/*.node m,


  # inherited file handles
  owner @{HOME}/.config/@{CONFIG_SUBDIR}/logs/**/*.log a,

  owner /dev/shm/@{SOCKET_PATH}* rwlk,
  #/ inherited file handles (no CLO_EXEC)
}

# keep in sync with google-chrome-stable
profile vscodium-sandbox @{APPDIR}/chrome-sandbox {
  include <abstractions/base>
  include <abstractions/vscodium>

  @{SANDBOX_PATH} rm,

  capability sys_chroot,
  capability sys_admin,
  capability setuid,
  capability setgid,
  capability sys_resource,

  signal (receive) peer=@{BINARY_PATH},
  @{BINARY_PATH} Px -> vscodium-sandboxed,
}

profile vscodium-sandboxed {
  include <abstractions/base>
  include <abstractions/vscodium>
  include <abstractions/fonts>

  @{BINARY_PATH} rm,

  signal (receive) peer=@{BINARY_PATH},
  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,

  /proc/ r,
  /proc/@{pid}/statm r,

  owner /dev/shm/@{SOCKET_PATH}* rwlk,
}
