#include <tunables/global>

@{BROWSER} = codium
@{APPNAME} = @{BROWSER}
@{APPDIR} = /usr/share/@{APPNAME}
@{BINARY_NAME} = @{BROWSER}
@{BINARY_PATH} = @{APPDIR}/@{BINARY_NAME}
@{SANDBOX_PATH} = @{APPDIR}/chrome-sandbox
@{SOCKET_PATH} = .org.chromium.Chromium
@{CONFIG_SUBDIR} = Code-OSS

profile vscodium /usr/share/codium/codium {
  #include <abstractions/chromium-common>
  #include <abstractions/vscodium>
  #include <abstractions/consoles>

  @{SANDBOX_PATH}     Px -> google-chrome-vscodium//sandbox,
  signal (send) peer=vscodium//*,
  ptrace        peer=vscodium//*,

  signal        peer=lsb_release,
  ptrace        peer=lsb_release,

  /proc/@{pid}/cmdline r,
  /proc/@{pid}/mem r,

  owner @{HOME}/.vscode-oss/ r,
  owner @{HOME}/.vscode-oss/** rwlk,

  owner /run/user/*/vscode* rw,

  @{APPDIR}/**/*.node m,

  /usr/lib/git/git Ux,

  /usr/share/icu/*/icu*.dat r,

  deny @{HOME}/.fonts/.uuid      wl,
  deny /usr/share/fonts/**/.uuid wl,

  /usr/bin/lsb_release Px -> lsb_release,

  @{APPDIR}/resources/app/node_modules.asar.unpacked/vscodium-ripgrep/bin/rg Px -> vscodium//rg,

  profile rg {
    #include <abstractions/base>
    #include <abstractions/fonts>
    #include <abstractions/consoles>
    #include if exists <local/vscodium>

    @{APPDIR}/resources/app/node_modules.asar.unpacked/vscodium-ripgrep/bin/rg rm,

    # inherited file handles (no CLO_EXEC)
    @{APPDIR}/** r,
    @{APPDIR}/**/*.node m,

    owner /dev/shm/@{SOCKET_PATH}* rwlk,
    #/ inherited file handles (no CLO_EXEC)
  }

  # keep in sync with google-chrome-stable
  profile sandbox {
    #include <abstractions/base>
    #include <abstractions/vscodium>

    @{SANDBOX_PATH} rm,

    capability sys_chroot,
    capability sys_admin,
    capability setuid,
    capability setgid,
    capability sys_resource,

    signal (receive) peer=@{BINARY_PATH},
    @{BINARY_PATH} Px -> vscodium//sandboxed,
  }

  profile sandboxed {
    #include <abstractions/base>
    #include <abstractions/vscodium>
    #include <abstractions/fonts>

    @{BINARY_PATH} rm,

    signal (receive) peer=@{BINARY_PATH},
    /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,

    /proc/ r,
    /proc/@{pid}/statm r,

    owner /dev/shm/@{SOCKET_PATH}* rwlk,
  }

  #include if exists <local/vscodium>
}
