#include <tunables/global>
/usr/bin/skype {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session>
  #include <abstractions/fonts>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/ssl_certs>
  #include <abstractions/user-tmp>
  #include <abstractions/X>

  @{PROC}/sys/kernel/{ostype,osrelease} r,
  @{PROC}/@{pid}/net/arp r,
  owner @{PROC}/@{pid}/auxv r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/[0-9]*/stat r,

  /sys/devices/**/power_supply/**/online r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,

  /dev/ r,
  owner /{dev,run}/shm/pulse-shm* m,
  /dev/snd/* m,
  /dev/video* mrw,

  /var/cache/libx11/compose/* r,

  # should this be in a separate KDE abstraction?
  owner @{HOME}/.kde{,4}/share/config/kioslaverc r,

  /usr/bin/skype mr,
  /etc/xdg/sni-qt.conf rk,
  /etc/xdg/Trolltech.conf rk,
  /usr/share/skype/** kr,
  /usr/share/skype/**/*.qm mr,
  /usr/share/skype/sounds/*.wav kr,
  /usr/lib{,32}/pango/** mr,
  /usr/lib{,32}/libv4l/* mr,

  # For opening links in the browser (still requires explicit access to execute
  # the browser)
  /usr/bin/xdg-open ixr,

  owner @{HOME}/.Skype/   rw,
  owner @{HOME}/.Skype/** krw,
  owner @{HOME}/.config/               r,
  owner @{HOME}/.config/*/             r,
  owner @{HOME}/.config/Skype/Skype.conf rw,
  owner @{HOME}/.config/Trolltech.conf kr,

  # Skype traverses the .mozilla directory and needs access to prefs.js
  deny owner @{HOME}/.mozilla/ r,
  deny owner @{HOME}/.mozilla/**/ r,
  deny owner @{HOME}/.mozilla/*/*/prefs.js r,

  # Skype also looks around in these directories
  /{,usr/,usr/local/}lib{,32}/ r,

  # Recent skype builds have an executable stack, so it tries to mmap certain
  # files. Let's deny them for now.
  deny /etc/passwd m,
  deny /etc/group m,
  deny /usr/share/fonts/** m,

  # Silence a few non-needed writes
  deny /var/cache/fontconfig/ w,
  deny owner @{HOME}/.fontconfig/ w,
  deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w,
}