abi <abi/5.0>,

profile snap_browsers {
  include if exists <abstractions/snap_browsers.d>
  include <abstractions/base>
  include <abstractions/dbus-session-strict>

  /etc/passwd r,
  /etc/nsswitch.conf r,
  /etc/fstab r,

  # noisy
  deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu

  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/@{multiarch}/* mr,
  /var/lib/snapd/system-key r,
  /run/snapd.socket rw,

  @{PROC}/version r,
  @{PROC}/cmdline r,
  @{PROC}/sys/net/core/somaxconn r,
  @{PROC}/sys/kernel/seccomp/actions_avail r,
  @{PROC}/sys/kernel/random/uuid r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{HOME}/.snap/auth.json r, # if exists, required

  dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
  dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",

  /sys/kernel/security/apparmor/features/{,**} r,

  # allow launching official browser snaps.
  /snap/{brave,chromium,firefox,opera}/[0-9]*/meta/{snap.yaml,hooks/} r,
  /var/lib/snapd/sequence/{brave,chromium,firefox,opera}.json r,
  /var/lib/snapd/inhibit/{brave,chromium,firefox,opera}.lock rk,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
  owner @{run}/user/@{uid}/snap.{brave,chromium,firefox,opera}/ rw,
  /sys/fs/cgroup/cgroup.controllers r,

  /usr/bin/getent rmCx,
  profile getent /usr/bin/getent {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    @{exec_path} rm,
  }

  /usr/bin/systemctl rmCx,
  profile systemctl /usr/bin/systemctl {
    include <abstractions/base>
    @{exec_path} rm,

    unix bind addr=@*/bus/systemctl/system,
  }

}
