abi <abi/4.0>,

include <tunables/global>

profile /garage/service {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  network inet,
  network inet6,

  /usr/bin/garage rm,

  /etc/garage/garage.toml r,
  /var/lib/garage/** rwlk,

  owner /proc/@{pid}/{cgroup,mountinfo} r,

  include if exists <local/garage>
  include if exists <local/garage-service>
}

profile /garage/cli /usr/bin/garage {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  network inet,
  network inet6,

  capability dac_override,
  capability dac_read_search,

  /usr/bin/garage rm,

  /etc/garage/garage.toml r,
  /var/lib/garage/** rwlk,

  owner /proc/@{pid}/{cgroup,mountinfo} r,

  include if exists <local/garage>
  include if exists <local/garage-cli>
}
