usr.bin.spotify

# Spotify 1.0.19 + Ubuntu 15.10

#include <tunables/global>

/usr/share/spotify/spotify {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/ubuntu-konsole>

  capability sys_ptrace, mknod

  deny /opt/Citrix/** mr,
  deny /opt/google/** mr,
  deny /selinux/ r,
  deny /proc/*/task/ r,
  deny /proc/ r,
  deny /proc/*/cmdline r,
  audit deny /home/*/.mozilla/plugins/ r,
  audit deny /tmp/** rlk,
  audit deny /proc/filesystems r,

  /etc/pulse/client.conf r,
  /etc/udev/udev.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  owner /home/*/.ICEauthority r,
  owner /home/*/.Xauthority r,
  owner /home/*/.cache/dconf/user rw,
  owner /home/*/.cache/spotify/ r,
  owner /home/*/.cache/spotify/** rwk,
  owner /home/*/.config/Trolltech.conf rk,
  owner /home/*/.config/dconf/user r,
  owner /home/*/.config/spotify/** rwk,
  owner /home/*/.config/user-dirs.dirs r,
  owner /home/*/.fontconfig/* r,
  owner /home/*/.fonts/* r,
  owner /home/*/.local/share/mime/mime.cache r,
  owner /home/*/.local/share/spotify/* w,
  owner /home/*/.pki/nssdb/* rwk,
  owner /home/*/.pulse-cookie rwk,
  owner /home/*/.config/ibus/bus/ w,
  owner /proc/*/oom_score_adj w,
  owner /proc/*/auxv r,
  owner /proc/*/fd/ r,
  owner /proc/*/maps r,
  owner /proc/*/stat r,
  owner /proc/*/status r,
  /proc/meminfo r,
  /proc/stat r,
  /proc/sys/kernel/pid_max r,
  /proc/sys/kernel/shmmax r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /proc/version r,
  /run/shm/ r,
  /run/shm/* rwk,
  /sys/bus/pci/devices/ r,
  /sys/devices/** r,
  /tmp/** w,
  /usr/bin/setarch rix,
  /usr/bin/tr rix,
  /usr/lib/nspluginwrapper/i386/linux/npviewer rix,
  /usr/lib/nspluginwrapper/i386/linux/npviewer.bin rix,
  /usr/lib{,32,64}/** mr,
  /usr/share/glib-2.0/** r,
  /usr/share/misc/pci.ids r,
  /usr/share/themes/** r,
  /var/lib/dbus/* r,
}