profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/audio>
+ #include <abstractions/dri-enumerate>
#include <abstractions/gnome>
#include <abstractions/ibus>
+ #include <abstractions/mesa>
+ #include <abstractions/opencl>
#include if exists <abstractions/vulkan>
# Uncomment the following lines if you want to give the Tor Browser read-write
/usr/share/homepage/ r,
/usr/share/homepage/** r,
+ /sys/bus/pci/devices/ r,
+ @{sys}/devices/pci[0-9]*/**/irq r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
/sys/devices/system/node/ r,
# Required for Wayland display protocol support
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
- # Deny access to DRM nodes, that's granted by the X abstraction, which is
- # sourced by the gnome abstraction, that we include.
- deny /dev/dri/** rwklx,
-
# Silence denial logs about permissions we don't need
- deny /dev/dri/ rwklx,
deny @{HOME}/.cache/fontconfig/ rw,
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
owner @{PROC}/@{pid}/{gid,uid}_map w,
owner @{PROC}/@{pid}/setgroups w,
+ # Remove these rules once we can assume abstractions/vulkan is recent enough
+ # to include them
+ /etc/glvnd/egl_vendor.d/{*,.json} r,
+ /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+
#include <local/torbrowser.Browser.firefox>
}