#include <tunables/global>

@{BROWSER} = chrome
@{APPNAME} = @{BROWSER}
@{APPDIR} = /opt/google/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SANDBOX_PATH} = @{APPDIR}/@{BROWSER}-sandbox
@{NACL_HELPER_PATH} = @{APPDIR}/nacl_helper
@{SOCKET_PATH} = .com.google.Chrome
@{CONFIG_SUBDIR} = google-chrome

profile google-chrome-stable /opt/google/chrome/chrome {
  #include <abstractions/chromium-common>
  #include <abstractions/google-chrome>

  @{SANDBOX_PATH}     Px -> google-chrome-stable//sandbox,
  # we cant use Px here because at the point where nacl_helper is launched. the chrome main process is already set to "no new privs"
  @{NACL_HELPER_PATH} rmix, #Px -> google-chrome-stable//nacl_helper,

  signal (send) peer=google-chrome-stable//*,
  ptrace        peer=google-chrome-stable//*,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,

  profile sandbox {
    #include <abstractions/base>
    #include <abstractions/google-chrome>

    @{SANDBOX_PATH} rm,

    capability sys_chroot,
    capability sys_admin,
    capability setuid,
    capability setgid,
    capability sys_resource,

    signal (receive) peer=@{BINARY_PATH},
    @{BINARY_PATH} Px -> google-chrome-stable//sandboxed,
  }

  profile sandboxed {
    #include <abstractions/base>
    #include <abstractions/google-chrome>
    #include <abstractions/fonts>

    @{BINARY_PATH} rm,

    signal (receive) peer=@{BINARY_PATH},
    /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,

    /proc/ r,
    /proc/@{pid}/statm r,

    owner /dev/shm/@{SOCKET_PATH}* rwlk,
  }

  profile nacl_helper {
    #include <abstractions/base>
    #include <abstractions/google-chrome>
    #include <abstractions/fonts>

    @{NACL_HELPER_PATH} rm,

    signal (receive) peer=@{BINARY_PATH},

    /proc/ r,
    /proc/@{pid}/statm r,

    owner /dev/shm/@{SOCKET_PATH}* rwlk,
  }

  #include if exists <local/opt.google.chrome.chrome>
  #include if exists <local/google-chrome-stable>
}
