abi <abi/4.0>,

include <tunables/global>
#
# I run forked-daapd this override file:
#
# cat /etc/systemd/system/forked-daapd.service.d/override.conf
# [Service]
# MemoryMax=
# MemorySwapMax=
# User=daapd
# Group=daapd
#
# without this override file at least the owner flag for the log file probably has to be removed
# and it will require the dac_override capability
#
profile forked-daapd /usr/sbin/forked-daapd {
  include <abstractions/base>
  include <abstractions/openssl>
  include <abstractions/nameservice>
  include <abstractions/audio>

  capability setuid,
  capability setgid,
  capability chown,
  capability fowner,

  network inet,
  network inet6,

  /proc/@{pid}/fd/         r,
  /proc/@{pid}/task/*/comm rw,
  /dev/shm/ r,

  /etc/machine-id r,

  /usr/sbin/forked-daapd rm,

  /etc/forked-daapd.conf r,
  /usr/lib{,64}/forked-daapd/*.so rm,
  /usr/share/forked-daapd/**      r,

  # would like to use owner here but it is tricky with starting as root and then switching to daapd user
  owner /var/cache/forked-daapd/   r,
  owner /var/cache/forked-daapd/** rwlk,
  owner /var/lib/forked-daapd/**   rwlk,
  owner /var/log/forked-daapd.log  w,

  /srv/music/ r,
  /srv/music/** r,

  include if exists <local/forked-daapd>
}
