#include <tunables/global>
@{RAILS_ROOT}=/srv/www/vhosts/pixelfed
profile /pixelfed/horizon flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/php>
    #include <abstractions/openssl>
    #include <abstractions/pixelfed>
    #include <abstractions/nameservice>

    /usr/bin/php rm,
    deny /apparmor/.null rw,

    /bin/bash cx -> bash,
    profile bash flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/consoles>

      deny network,
      deny /apparmor/.null rw,

      /bin/bash rm,
      /usr/bin/php px -> /pixelfed/horizon,

      /bin/rm      px -> /pixelfed/horizon//rm,
      /usr/bin/stty px -> /pixelfed/horizon//stty,
      /usr/bin/grep px -> /pixelfed/horizon//grep,
      /{,usr/}bin/ps px -> /pixelfed/horizon//ps,
      /usr/bin/magick     Px -> /pixelfed/horizon//magick, # <- most important rule ever
      /usr/bin/optipng    Px -> /pixelfed/horizon//optipng,
      /usr/bin/pngquant   Px -> /pixelfed/horizon//pngquant,
      /usr/bin/jhead      Px -> /pixelfed/horizon//jhead,
      /usr/bin/jpegtran   Px -> /pixelfed/horizon//jpegtran,
      /usr/bin/jpegoptim  Px -> /pixelfed/horizon//jpegoptim,
      /usr/bin/gifsicle   Px -> /pixelfed/horizon//gifsicle,
    }
    profile grep flags=(attach_disconnected) {
      #include <abstractions/base>
      deny /apparmor/.null wr,
      /usr/bin/grep rm,
    }
    profile stty flags=(attach_disconnected) {
      #include <abstractions/base>
      deny /apparmor/.null wr,
      /usr/bin/stty rm,
    }
    profile ps flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/consoles>
      #include <abstractions/nameservice>
      deny /apparmor/.null wr,
      /bin/ps rm,

      /proc/uptime r,
      /proc/sys/kernel/pid_max r,
      /proc/ r,
      /proc/sys/kernel/osrelease r,
      /proc/*/cmdline r,
      /proc/*/stat r,
      /proc/tty/drivers r,

      ptrace (read) peer=/pixelfed/horizon**,
    }
    profile rm flags=(attach_disconnected) {
      #include <abstractions/base>
      /bin/rm rm,
    }
    profile magick flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/imagemagick>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      deny /var/cache/fontconfig/ w,

      /usr/bin/magick rm,
    }
    profile optipng flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/optipng rm,
    }
    profile pngquant flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/pngquant rm,
    }
    profile jhead flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/jhead rm,
    }
    profile jpegtran flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/jpegtran rm,
    }
    profile jpegoptim flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/jpegoptim rm,
    }
    profile gifsicle flags=(attach_disconnected) {
      #include <abstractions/base>
      #include <abstractions/pixelfed-storage-files>

      deny network,
      deny /apparmor/.null rw,

      /usr/bin/gifsicle rm,
    }
}
