## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

#include <tunables/global>

@{WRAPPER}=/usr/share/sandbox-app-launcher/wrapper-script
@{WRAPPER_WX}=@{WRAPPER}-wx
@{HOME_DIR}=/home/sandbox-app-launcher-appdata
@{SHARED_DIR}=@{HOME_DIR}/shared /shared

profile sandbox-app-launcher @{WRAPPER} flags=(attach_disconnected) {
  #include <abstractions/sandbox-app-launcher>

  ## Allow us to send ourselves signals.
  signal peer=sandbox-app-launcher,

  ## Allow us to ptrace ourselves.
  ptrace (read, readby, tracedby) peer=sandbox-app-launcher,

  ## Deny W^X violations.
  deny @{HOME_DIR}/*/** xm,
  deny @{SHARED_DIR}/** xm,
  deny /{,var/}tmp/** xm,
  deny /dev/shm/** m,
  deny @{sys}/fs/cgroup/** m,
}

profile sandbox-app-launcher-wx @{WRAPPER_WX} flags=(attach_disconnected) {
  #include <abstractions/sandbox-app-launcher>

  ## Allow us to send ourselves signals.
  signal peer=sandbox-app-launcher-wx,

  ## Allow us to ptrace ourselves.
  ptrace (read, readby, tracedby) peer=sandbox-app-launcher-wx,

  ## Allow W^X violations.
  owner @{HOME_DIR}/*/** rwmlkix,
  @{SHARED_DIR}/** rwmlkix,
  owner /{,var/}tmp/** rwmlkix,
  owner /dev/shm/** rwm,
  @{sys}/fs/cgroup/** rwm,
}
