abi <abi/3.0>,

include <tunables/global>

@{RAILS_ROOT}=/srv/www/vhosts/discourse
profile /discourse/appserver {
  include <abstractions/discourse>
  include <abstractions/discourse-puma-logs>
  /usr/bin/puma.ruby[23].[0-9]-* r,

  /usr/lib{,exec}/git/git Px -> /discourse-apps//git,

  owner @{RAILS_ROOT}/** r,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/public/backups/** rw,
  owner @{RAILS_ROOT}/app/assets/javascripts/plugins/* rw,

  owner /tmp/** rwlk,
}

profile /discourse/sidekiq {
  include <abstractions/discourse>
  /usr/bin/sidekiq.ruby[23].[0-9]-* r,

  owner @{RAILS_ROOT}/log/sidekiq.log wk,

  owner @{RAILS_ROOT}/public/uploads/** rw,
  owner @{RAILS_ROOT}/public/backups/** rw,
  owner @{RAILS_ROOT}/app/assets/javascripts/plugins/* rw,

  owner /tmp/** rwlk,

        signal send set=(term) peer=/discourse-apps//*,
  audit signal send set=(term) peer=unconfined,

    /usr/lib{,exec}/git/git Px -> /discourse-apps//git,
}

profile /discourse-apps {
  profile timeout { include <abstractions/base>
    /usr/bin/timeout rm,
    signal send set=(term,kill) peer=/discourse-apps//*,
    /usr/bin/magick      Px -> /discourse-apps//magick, # <- most important rule ever
    /usr/lib{,exec}/git/git Px -> /discourse-apps//git,
    /usr/bin/nice        Px -> /discourse-apps//nice,
  }

  profile nice {
    include <abstractions/base>
    /usr/bin/nice rm,
    /usr/bin/magick     Px -> /discourse-apps//magick, # <- most important rule ever
  }
  profile hostname {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/discourse-puma-logs>
    /usr/bin/hostname rm,
  }
  profile magick {
    include <abstractions/base>
    include <abstractions/imagemagick>
    include <abstractions/discourse-puma-logs>

    deny network,

    owner @{RAILS_ROOT}/.cache/ rw,
    owner @{RAILS_ROOT}/.cache/fontconfig/ rw,
    owner @{RAILS_ROOT}/.cache/fontconfig/*.cache-[0-9] rw,

    deny @{RAILS_ROOT}/.fontconfig/ w,

    @{RAILS_ROOT}/vendor/data/RT_sRGB.icm r,

    owner @{RAILS_ROOT}/public/uploads/** rw,
    owner @{RAILS_ROOT}/tmp/** rw,

    owner /tmp/** rw,

    /usr/bin/magick rm,

   /usr/libexec/libheif/ r,
  }
  profile git {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/openssl>
    include <abstractions/ssl_certs>
    include <abstractions/discourse-puma-logs>
    /etc/gitconfig r,
    /usr/lib{,exec}/git/* rmix,
    /usr/share/git-core/** r,
    /tmp/discourse_theme*/ rw,
    /tmp/discourse_theme*/** rwlk,
    @{RAILS_ROOT}/vendor/gems/** r,
  }
  profile mkdir {
    include <abstractions/base>
    /usr/bin/mkdir rm,
  }
  profile grep {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>
    /usr/bin/grep rm,
  }
  profile uname {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>
    /usr/bin/uname rm,
  }
  profile rm {
    include <abstractions/base>
    /usr/bin/rm rm,
    @{RAILS_ROOT}/public/plugins/* w,
  }
  profile ln {
    include <abstractions/base>
    /usr/bin/ln rm,
    @{RAILS_ROOT}/public/plugins/** w,
  }
  profile ps {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    /{usr/,}bin/ps rm,
    /proc/sys/kernel/osrelease r,
    /proc/*/stat r,
    /proc/*/cmdline r,
    /proc/uptime r,
    /proc/sys/kernel/pid_max r,
    /proc/ r,
     ptrace,
  }

  profile bash {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    include <abstractions/discourse-puma-logs>
    include <abstractions/discourse-apps>
    /{usr/,}bin/bash rm,
    /tmp/discourse_theme*/ r,
    /srv/www/vhosts/discourse/ r,
    /usr/lib{,exec}/git/git Px -> /discourse-apps//git,
  }

  profile df {
    include <abstractions/base>
    /usr/bin/df rm,
  }
  profile tr {
    include <abstractions/base>
    /usr/bin/tr rm,
  }
  profile cut {
    include <abstractions/base>
    /usr/bin/cut rm,
  }
  profile tail {
    include <abstractions/base>
    /usr/bin/tail rm,
  }
  profile oxipng {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/oxipng rm,
  }
  profile optipng {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/optipng rm,
  }
  profile pngquant {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/pngquant rm,
    /sys/devices/system/cpu/possible r,
  }
  profile jhead {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jhead rm,
    owner /proc/@{pid}/cmdline r,
    owner /proc/@{pid}/environ r,
    owner /proc/@{pid}/task/ r,
    owner /proc/@{pid}/task/*/status r,

   ptrace peer=/discourse-apps//jhead,
  }
  profile jpegtran {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jpegtran rm,
  }
  profile jpegoptim {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/jpegoptim rm,
  }
  profile gifsicle {
    include <abstractions/base>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/bin/gifsicle rm,
    owner @{RAILS_ROOT}/tmp/** rw,
  }
  profile svgo {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/discourse-puma-logs>

    deny network,

    /usr/local/lib/node_modules/svgo/bin/svgo rm,
    /usr/local/lib/node_modules/** r,
    /usr/share/icu/*/icu*.dat r,
    /usr/bin/node10 rmix,
  }
}
