# vim:syntax=apparmor

  include <abstractions/base>
  include <abstractions/p11-kit>
  include <abstractions/X>

  # TODO: adjust when support finer-grained netlink rules
  network netlink raw,

  /etc/udev/udev.conf r,
  /etc/wildmidi/wildmidi.cfg r,

  /dev/ r,
  /dev/bus/usb/ r,
  /dev/dri/ r,

  # /dev/shm is a symlink to /run/shm on ubuntu
  owner /{dev,run}/shm/shmfd-* rw,

  /run/udev/data/c* r,
  /run/udev/data/+pci:* r,
  /run/udev/data/+usb* r,

  /sys/bus/ r,
  /sys/bus/usb/devices/ r,
  /sys/class/ r,
  /sys/class/drm/ r,
  /sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/*/meminfo r,

  owner /tmp/orcexec.* mrw,
  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
  # needed if /tmp is mounted noexec:
  owner @{HOME}/orcexec.* mr,

  /usr/lib/frei0r-[0-9]/*.so m,
  # /usr/lib/@{multiarch}/dri/** mr,
  /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
  /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
  /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,

  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
  owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,