profile cursor_sandbox /usr/share/cursor/resources/app/resources/helpers/cursorsandbox {
  file,
  /** ix,

  capability sys_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,

  userns,

  mount,
  remount,
  umount,

  # Allow binary execution and mapping
  /usr/share/cursor/resources/app/resources/helpers/cursorsandbox mr,
}
