#include <abstractions/base>
#
#include <abstractions/p11-kit>
#include <abstractions/p11-kit-files>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
#include <abstractions/nssdb-user-files>
#
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/dconf>
#
#include <abstractions/keepassxc-proxy-chromium-in-browser>
#include <abstractions/xdg-tools-chromium-in-browser>
#
# It is not actually using opencl in most cases but this gives us device access
#include <abstractions/X>
#include <abstractions/opencl>
#include <abstractions/dri-enumerate>
#include <abstractions/nvidia>
#include <abstractions/audio>

network inet  stream,
network inet6 stream,

network inet  dgram,
network inet6 dgram,

# seems for nscd
network netlink raw,

capability sys_admin,
capability sys_chroot,
capability sys_ptrace,

/{usr/,}etc/passwd r,
/{usr/,}etc/hosts r,
/{usr/,}etc/host.conf r,
/{usr/,}etc/nsswitch.conf       r,
/{usr/,}etc/gai.conf       r,
/{usr/,}etc/resolv.conf r,
/run/netconfig/resolv.conf r,
/etc/machine-id r,

/run/nscd/* r,
/var/lib/nscd/* r,

# this is later in abstractions but we need it for 15.1
#
/usr/share/drirc.d/ r,

# TODO: make this Px too
# making this a Px rule requires the "no new privs" fix for the kernel part.
# which is scheduled for for kernel 5.8
@{BINARY_PATH} rmix,

ptrace peer=plasma-browser-integration-host,
signal peer=plasma-browser-integration-host,
/usr/bin/plasma-browser-integration-host Px -> plasma-browser-integration-host,

# we deny access to the user file to avoid cache poisoning
deny owner @{HOME}/.{,cache/}fontconfig/** wl,
deny /var/cache/fontconfig/ w,

owner /dev/shm/@{SOCKET_PATH}* rwlk,
owner /tmp/@{SOCKET_PATH}.* rwlk,

owner @{HOME}/.config/@{CONFIG_SUBDIR}/ r,
owner @{HOME}/.config/@{CONFIG_SUBDIR}/** rwlk,
owner @{HOME}/.cache/@{CONFIG_SUBDIR}/** rwlk,
owner @{HOME}/.cache/@{CONFIG_SUBDIR}/** rwlk,
# TODO: owner @{HOME}/.local/share/.@{SOCKET_PATH}** rwlk,
owner @{HOME}/.local/share/.@{BROWSER}_reporting_data rwlk,


owner @{HOME}/.config/google-chrome/PepperFlash/*/libpepflashplayer.so rm,
owner @{HOME}/.config/google-chrome/PepperFlash/latest-component-updated-flash r,
owner @{HOME}/.config/google-chrome/WidevineCdm/latest-component-updated-widevine-cdm r,
owner @{HOME}/.config/google-chrome/Dictionaries/*.bdic r,

owner @{HOME}/.cache/thumbnails/** r,

owner @{HOME}/.config/user-dirs.dirs r,

# TODO: shouldnt this be in abstractions/dconf
owner /run/user/*/dconf/user rw,

# TODO: shouldnt this be in abstractions/nvidia ?
owner @{HOME}/.nv/** rwlk,
owner /tmp/.gl* rm,

owner @{HOME}/ r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/** rw,

#TODO: include <abstractions/private-files>

deny /usr/lib/adobe-flashplugin/ rwlk,

/proc/@{pid}/setgroups rw,
/proc/@{pid}/uid_map w,
/proc/@{pid}/gid_map w,
/proc/@{pid}/comm r,
/proc/@{pid}/clear_refs rw,
/proc/@{pid}/statm r,
/proc/@{pid}/task/ r,
/proc/@{pid}/task/*/status r,
/proc/@{pid}/mountinfo r,

/dev/ r,
# For WebRTC camera access (LP: #1665535)
/dev/video[0-9]* rw,

/proc/ r,
/proc/modules r,
/proc/vmstat r,

/proc/sys/fs/inotify/max_user_watches r,
@{sys}/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
@{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/tty/tty0/active r,
@{sys}/devices/**/{resource,irq,class,config,uevent,descriptors,manufacturer,product,busnum,devnum,serial,bConfigurationValue,idVendor,idProduct,interface} r,
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/bus/pci/devices/ r,
/run/udev/data/* r,
/selinux/ r,

/dev/shm/ r,

# deny /usr/bin/* x,
# deny /bin/* x,


