#include <tunables/global>
@{RAILS_ROOT}=/srv/www/vhosts/discourse
profile /discourse/appserver {
  #include <abstractions/discourse>
  #include <abstractions/discourse-puma-logs>
  /usr/bin/puma.ruby2.[0-9]-* r,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/public/backups/** rw,
  owner @{RAILS_ROOT}/app/assets/javascripts/plugins/* rw,

  owner /tmp/** rwlk,
}

profile /discourse/sidekiq {
  #include <abstractions/discourse>
  /usr/bin/sidekiq.ruby2.[0-9]-* r,

  owner @{RAILS_ROOT}/log/sidekiq.log wk,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/public/backups/** rw,
  owner @{RAILS_ROOT}/app/assets/javascripts/plugins/* rw,

  owner /tmp/** rwlk,

        signal send set=(term) peer=/discourse//*,
  audit signal send set=(term) peer=unconfined,
}

profile /discourse {
  profile hostname {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/discourse-puma-logs>
    /usr/bin/hostname rm,
  }
  profile magick {
    #include <abstractions/base>
    #include <abstractions/imagemagick>
    #include <abstractions/discourse-puma-logs>

    deny network,

    deny @{RAILS_ROOT}/.cache/ w,
    deny @{RAILS_ROOT}/.fontconfig/ w,

    @{RAILS_ROOT}/vendor/data/RT_sRGB.icm r,

    owner @{RAILS_ROOT}/public/uploads/** rw,
    owner @{RAILS_ROOT}/tmp/** rw,

    owner /tmp/** rw,

    /usr/bin/magick rm,
  }
  profile git {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/openssl>
    #include <abstractions/ssl_certs>
    #include <abstractions/discourse-puma-logs>
    /usr/lib/git/* rmix,
    /usr/share/git-core/** r,
    /tmp/discourse_theme*/ rw,
    /tmp/discourse_theme*/** rwlk,
  }
  profile mkdir {
    #include <abstractions/base>
    /usr/bin/mkdir rm,
  }
  profile grep {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>
    /usr/bin/grep rm,
  }
  profile uname {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>
    /usr/bin/uname rm,
  }
  profile rm {
    #include <abstractions/base>
    /usr/bin/rm rm,
    @{RAILS_ROOT}/public/plugins/* w,
  }
  profile ln {
    #include <abstractions/base>
    /usr/bin/ln rm,
    @{RAILS_ROOT}/public/plugins/** w,
  }
  profile ps {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    /{usr/,}bin/ps rm,
    /proc/sys/kernel/osrelease r,
    /proc/*/stat r,
    /proc/*/cmdline r,
    /proc/uptime r,
    /proc/sys/kernel/pid_max r,
    /proc/ r,
     ptrace,
  }
  profile bash {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/discourse-puma-logs>
    #include <abstractions/discourse-apps>
    /bin/bash rm,
    /tmp/discourse_theme*/ r,
  }
  profile df {
    #include <abstractions/base>
    /usr/bin/df rm,
  }
  profile tr {
    #include <abstractions/base>
    /usr/bin/tr rm,
  }
  profile cut {
    #include <abstractions/base>
    /usr/bin/cut rm,
  }
  profile tail {
    #include <abstractions/base>
    /usr/bin/tail rm,
  }
  profile optipng {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/optipng rm,
  }
  profile pngquant {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/pngquant rm,
  }
  profile jhead {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jhead rm,
  }
  profile jpegtran {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jpegtran rm,
  }
  profile jpegoptim {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jpegoptim rm,
  }
  profile gifsicle {
    #include <abstractions/base>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/gifsicle rm,
    owner @{RAILS_ROOT}/tmp/** rw,
  }
  profile svgo {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/discourse-puma-logs>

    deny network,

    /usr/local/lib/node_modules/svgo/bin/svgo rm,
    /usr/local/lib/node_modules/** r,
    /usr/share/icu/*/icu*.dat r,
    /usr/bin/node10 rmix,
  }
}
