#include <tunables/global>

profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/python>

  network,
  deny network raw,

  signal (send) set=(kill,term,int,hup,cont),

  capability net_admin,
  capability net_bind_service,
  capability dac_read_search,
  capability dac_override,
  capability chown,

  /bin/** ix,
  /usr/bin/** ix,
  /bin/udevadm Ux,
  /sbin/udevd Ux,
  /usr/local/bin/python* ix,
  /usr/bin/git cx,
  /usr/bin/gdbus cx,
  /usr/lib/bashio/** ix,
  /etc/s6/** ix,
  /run/{s6,s6-rc*,service}/** ix,
  /package/** ix,
  /command/** ix,
  /etc/services.d/** rwix,
  /etc/cont-init.d/** rwix,
  /etc/cont-finish.d/** rwix,

  deny /proc/** wl,
  deny /sys/** wl,

  / r,
  /** r,
  /tmp/** rwk,
  /data/** rw,
  /run/{,**} rwk,
  /dev/tty rw,
  /root/.cas/{,**} rwk,
  /etc/resolv.conf rw,
  /run/docker.sock rw,

  /usr/local/lib/** mr,

  profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>
    #include <abstractions/dbus>

    signal (receive) set=(int),
    unix (send, receive) type=stream,

    capability sys_nice,

    /** r,
    /lib/* mr,
    /usr/bin/gdbus mr,
    /usr/local/lib/** mr,

    /run/dbus/system_bus_socket rw,
  }

  profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>

    network,
    deny network raw,

    signal (receive) set=(term),

    /bin/busybox ix,
    /usr/bin/git mrix,
    /usr/libexec/git-core/* ix,

    deny /data/homeassistant rw,
    deny /data/ssl rw,

    /** r,
    /lib/* mr,
    /data/addons/** lrw,
    /usr/local/lib/** mr,

    capability dac_override,
  }
}