abi <abi/4.0>,

include <tunables/global>

profile dnscrypt-proxy /usr/sbin/dnscrypt-proxy flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/ssl_certs>

  /{usr/,}etc/hosts r,
  /{usr/,}etc/resolv.conf r,
  /{usr/,}etc/gai.conf r,
  /{usr/,}etc/host.conf r,
  /{usr/,}etc/nsswitch.conf r,

  /etc/dnscrypt-proxy/* r,

  /var/lib/dnscrypt-proxy/** rw,

  /var/log/dnscrypt-proxy/ r,
  /var/log/dnscrypt-proxy/** rw,

  /sys/devices/system/cpu/online r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  /proc/cmdline r,
  /proc/sys/kernel/osrelease r,

  capability net_bind_service,

  network unix  stream,

  network inet  stream,
  network inet6 stream,

  network inet  dgram,
  network inet6 dgram,

  # seems for nscd
  network netlink raw,

  include if exists <local/usr.sbin.dnscrypt-proxy>
  include if exists <local/dnscrypt-proxy>
}
