abi <abi/3.0>,

include <tunables/global>

profile minio /usr/sbin/minio {
  include <abstractions/base>
  ## include <abstractions/nameservice>
  include <abstractions/ssl_certs>

  /dev/tty r,

  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  owner /proc/@{pid}/cpuset r,
  owner /proc/@{pid}/mounts r,

  /proc/cmdline r,

  /proc/sys/kernel/osrelease r,
  /proc/sys/net/core/somaxconn r,
  /proc/sys/kernel/threads-max r,
  /sys/devices/virtual/dmi/id/product_uuid r,

  /usr/sbin/minio rm,

  owner /etc/minio/ r,
  owner /etc/minio/config.json rwlk,
  owner /etc/minio/** r,

  /{usr/,}etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/group r,
  /etc/resolv.conf r,
  /etc/host.conf r,
  /etc/gai.conf r,
  /etc/hosts r,

  /etc/mime.types r,

  network inet dgram, # probably dns resolving
  network inet6 dgram, # probably dns resolving
  network netlink raw, # more name resolving

  network inet stream,
  network inet6 stream,

  owner /var/lib/minio/ r,
  owner /var/lib/minio/** rwlk,

  include if exists <local/minio>
}

profile minio-mc /usr/bin/minio-mc {
  include <abstractions/base>
  ## include <abstractions/nameservice>
  include <abstractions/ssl_certs>
  include <abstractions/consoles>

  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  owner /proc/@{pid}/cpuset r,

  owner @{HOME}/.minio-mc/ rw,
  owner @{HOME}/.minio-mc/** rw,

  /usr/bin/minio-mc rm,

  include if exists <local/minio-mc>
}