#include profile qutebrowser /usr/{local/,}bin/qutebrowser { #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include # not nice but required for chromium sandbox capability sys_admin, capability sys_chroot, capability sys_ptrace, /dev/ r, /dev/video* r, /etc/mime.types r, /usr/bin/ r, /usr/bin/ldconfig ix, /usr/bin/uname ix, /usr/bin/qutebrowser rix, /usr/lib/qt/libexec/QtWebEngineProcess mrix, /usr/share/pdf.js/** r, /usr/share/qt/translations/qtwebengine_locales/* r, /usr/share/qt/qtwebengine_dictionaries r, /usr/share/qt/qtwebengine_dictionaries/* r, /usr/share/qt/resources/* r, owner @{HOME}/ r, owner /dev/shm/.org.chromium* rw, owner @{HOME}/.cache/{qtshadercache,qutebrowser}/** rwlk, owner @{HOME}/.cache/qtshadercache** rwl, owner @{HOME}/.config/qutebrowser/** rwlk, owner @{HOME}/.local/share/.org.chromium.Chromium* rw, owner @{HOME}/.local/share/mime/generic-icons r, owner @{HOME}/.local/share/qutebrowser/ r, owner @{HOME}/.local/share/qutebrowser/** rwkl, owner @{HOME}/.pki/nssdb/* rwk, owner @{HOME}/#[0-9]* rwm, owner /run/user/*/qutebrowser/ rw, owner /run/user/*/qutebrowser/* rw, owner /run/user/*/qutebrowser*slave-socket rwl, owner /run/user/*/#* rw, # qt/kde @{PROC} r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/core_pattern r, @{PROC}/sys/kernel/yama/ptrace_scope r, /sys/{class,bus}/ r, /sys/bus/pci/devices/ r, /sys/devices/**/{class,config,device,resource,revision,removable,uevent} r, /sys/devices/**/{vendor,subsystem_device,subsystem_vendor} r, owner @{PROC}/@{pid}/{fd,stat,task,mounts}/ r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{pid}/status r, owner @{PROC}/@{pid}/{setgroups,gid_map,oom_score_adj,uid_map} rw, owner @{PROC}/@{pid}/{oom_score_adj,uid_map} rw, # allow execution of userscripts /usr/share/qutebrowser/userscripts/* Ux, }