# /usr/sbin/gitlab-pages -pages-root /srv/gitlab-pages -listen-http :8090 -admin-secret-path /srv/www/vhosts/gitlab-ce/.gitlab_pages_secret -admin-unix-listener /srv/www/vhosts/gitlab-ce/tmp/sockets/private/pages-admin.socket
# /usr/sbin/gitlab-workhorse -listenUmask 0 -listenNetwork unix -listenAddr /srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab-workhorse.socket -authSocket /srv/www/vhosts/gitlab-ce/tmp/sockets/gitlab.socket
# /usr/lib/gitlab/gitaly/bin/gitaly /etc/gitaly/config.toml
#  \_ /usr/bin/ruby.ruby2.6 /usr/lib/gitlab/gitaly/bin/gitaly-ruby 11140 /srv/www/vhosts/gitlab-ce/tmp/sockets/private/gitaly/socket.0
#  \_ /usr/bin/ruby.ruby2.6 /usr/lib/gitlab/gitaly/bin/gitaly-ruby 11140 /srv/www/vhosts/gitlab-ce/tmp/sockets/private/gitaly/socket.1
# unicorn_rails.ruby2.6 master --env production --config-file /srv/www/vhosts/gitlab-ce/config/unicorn.rb
#  \_ unicorn_rails.ruby2.6 worker[0] --env production --config-file /srv/www/vhosts/gitlab-ce/config/unicorn.rb
#  \_ unicorn_rails.ruby2.6 worker[1] --env production --config-file /srv/www/vhosts/gitlab-ce/config/unicorn.rb
#  \_ unicorn_rails.ruby2.6 worker[2] --env production --config-file /srv/www/vhosts/gitlab-ce/config/unicorn.rb
# sidekiq 5.2.5 gitlab-ce [0 of 3 busy]

abi <abi/4.0>,

include <tunables/global>
include <tunables/gitlab>

@{RAILS_ROOT}=@{GITLAB_APP_DIR}

profile /gitlab flags=(complain) {
  profile appserver flags=(complain) {
    include <abstractions/gitlab-rails>
    include <abstractions/gitlab>
    /usr/bin/puma.ruby2.[0-9]-* r,
    /usr/bin/unicorn_rails.ruby2.[0-9]-* r,

    /bin/bash         rmpx -> /gitlab//bash,
    /usr/bin/tail     rmpx -> /gitlab//tail,
    /usr/bin/gpgconf  rmpx -> /gitlab//gpgconf,
    /usr/bin/gpgsm    rmpx -> /gitlab//gpgsm,
    /usr/bin/gpg2     rmpx -> /gitlab//gpg,

    owner @{GITLAB_APP_DIR}/public/uploads/** rwlk,

    owner @{RAILS_ROOT}/log/{unicorn,puma}.stderr.log wk,
    owner @{RAILS_ROOT}/log/{unicorn,puma}.stdout.log wk,
    owner @{RAILS_ROOT}/log/production_json.log wk,
    owner @{RAILS_ROOT}/log/importer.log wk,
    owner @{RAILS_ROOT}/log/application.log wk,
    owner @{RAILS_ROOT}/log/audit_json.log wk,
  }
  profile sidekiq flags=(complain) {
    include <abstractions/gitlab-rails>
    include <abstractions/gitlab-pages>
    include <abstractions/gitlab>
    /usr/bin/sidekiq.ruby2.[0-9]-* r,

    owner @{RAILS_ROOT}/log/application.log wk,
    owner @{RAILS_ROOT}/log/sidekiq.log wk,

    /usr/bin/gpgconf  rmpx -> /gitlab//gpgconf,
    /usr/bin/gpgsm    rmpx -> /gitlab//gpgsm,
    /usr/bin/gpg2     rmpx -> /gitlab//gpg,
    /bin/bash         rmpx -> /gitlab//bash,
    /usr/bin/find     rmpx -> /gitlab//find,
  }
  profile uname flags=(attach_disconnected, complain) {
    include <abstractions/base>
    /usr/bin/uname rm,
    owner @{RAILS_ROOT}/log/{unicorn,puma}.stderr.log a,
    owner @{RAILS_ROOT}/log/{unicorn,puma}.stdout.log a,

    deny /apparmor/.null rw,
  }
  profile git flags=(complain) {
     include <abstractions/base>

     owner @{GITLAB_BASEDIR}/** rwlk,
     /usr/share/git-core/** r,
     /srv/www/vhosts/gitlab-ce/.mailmap r,

     /bin/bash         rmpx -> /gitlab//bash,
     /usr/lib/git/git         m,
     /usr/lib/git/git         px -> /gitlab//git,
     /usr/bin/git-upload-pack px -> /gitlab//git-upload-pack,

     /usr/lib/gitlab/gitaly/git-hooks/gitlab-shell-hook px,

     signal (receive) peer=/usr/lib/gitlab/gitaly/bin/gitaly,
  }

  profile git-upload-pack flags=(complain) {
     include <abstractions/base>
     /usr/bin/git-upload-pack rm,
     owner @{GITLAB_BASEDIR}/** rw,
     /usr/lib/git/git         px -> /gitlab//git,
  }
  profile bash flags=(complain) {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>

    /bin/bash rm,
    /usr/bin/uname px -> /gitlab//uname,

    /usr/bin/ruby rmpx -> /gitlab//ruby_huh,

    deny @{RAILS_ROOT}/tmp/prometheus_multiproc_dir/** rwlk,
    owner @{RAILS_ROOT}/log/{unicorn,puma}.stderr.log a,
    owner @{RAILS_ROOT}/log/{unicorn,puma}.stdout.log a,
  }
  profile ruby_huh flags=(attach_disconnected, complain) {
    include <abstractions/ruby-modern>
    /usr/bin/ruby rm,
    deny /apparmor/.null rw,
  }

  profile find flags=(complain) {
    include <abstractions/base>

    @{RAILS_ROOT}/ r,
    @{RAILS_ROOT}/** r,

    @{GITLAB_BASEDIR}/ rwlk,
    @{GITLAB_BASEDIR}/** rwlk,

    /usr/bin/find rm,
    deny @{RAILS_ROOT}/tmp/prometheus_multiproc_dir/** rwlk,
  }
  profile tail flags=(complain) {
    include <abstractions/base>
    /usr/bin/tail rm,
    owner /srv/www/vhosts/gitlab-ce/log/*.log r,
    deny @{RAILS_ROOT}/tmp/prometheus_multiproc_dir/** rwlk,
  }
  profile gpgconf flags=(complain) {
    include <abstractions/base>
    /usr/bin/gpgconf rm,
  }
  profile gpgsm flags=(complain) {
    include <abstractions/base>
    /usr/bin/gpgsm rm,
    owner /tmp/** rwlk,

    /proc/@{pid}/fd/ r,
  }
  profile gpg flags=(complain) {
    include <abstractions/base>
    /usr/bin/gpg2 rm,
    /usr/bin/gpg-agent rmpx -> /gitlab//gpgagent,
    owner /tmp/** rwlk,

    /proc/@{pid}/fd/ r,
  }
  profile gpgagent flags=(complain) {
    include <abstractions/base>
    /usr/bin/gpg-agent rm,

    owner /tmp/** rwlk,

    /proc/@{pid}/fd/ r,
  }
}

/usr/sbin/gitlab-pages flags=(complain) {
  include <abstractions/base>
  include <abstractions/gitlab-pages>

  @{GITLAB_APP_DIR}/.gitlab_pages_secret r,

  owner @{GITLAB_PRIVATE_SOCKET_DIR}/pages-admin.socket rwlk,

  network inet stream,
  network inet6 stream,

  /etc/mime.types r,

  # TODO: move this to abstractions/golang-network?
  /proc/sys/net/core/somaxconn   r,
}

/usr/sbin/gitlab-workhorse flags=(complain) {
  include <abstractions/base>
  include <abstractions/gitlab>

  /etc/mime.types r,

  @{GITLAB_APP_DIR}/public/ r,
  @{GITLAB_APP_DIR}/public/** r,
  @{GITLAB_APP_DIR}/doc/** r,

  @{GITLAB_APP_DIR}/.gitlab_workhorse_secret r,

  owner @{GITLAB_SOCKET_DIR}/gitlab-workhorse.socket rwlk,

  /sys/devices/system/cpu/online r,
  /proc/sys/net/core/somaxconn   r,

  /usr/sbin/gitlab-zip-cat      cx -> gitlab_zip_cat,
  /usr/sbin/gitlab-zip-metadata cx -> gitlab_zip_metadata,

  owner /tmp/gitlab-workhorse** rwlk,
  owner @{GITLAB_APP_DIR}/public/uploads/** rwlk,

  profile gitlab_zip_metadata flags=(complain) {
    include <abstractions/base>
    /usr/sbin/gitlab-zip-metadata rm,
    /proc/sys/net/core/somaxconn r,
    owner /srv/gitlab/artifacts/tmp/uploads/** r,
  }

  profile gitlab_zip_cat flags=(complain) {
    include <abstractions/base>
    /usr/sbin/gitlab-zip-cat rm,
    /proc/sys/net/core/somaxconn r,
  }
}

/usr/lib/gitlab/gitaly/bin/gitaly flags=(complain) {
  include <abstractions/base>
  include <abstractions/gitaly>
  include <abstractions/gitlab>

  /etc/gitaly/config.toml r,

  owner /tmp/gitaly-linguist-* rwlk,

  /proc/sys/net/core/somaxconn r,

  owner @{GITLAB_PRIVATE_SOCKET_DIR}/gitaly.socket rwlk,
  owner @{GITLAB_PRIVATE_SOCKET_DIR}/gitaly/  rwlk,
  owner @{GITLAB_PRIVATE_SOCKET_DIR}/gitaly/* rwlk,

  /usr/bin/bundle.* px -> /usr/lib/gitlab/gitaly/bin/gitaly//bundle,

  /usr/lib/gitlab/gitaly/bin/ruby-cd     px -> /usr/lib/gitlab/gitaly/bin/gitaly//ruby-cd,
  /usr/lib/gitlab/gitaly/bin/gitaly                         px -> /usr/lib/gitlab/gitaly/bin/gitaly//gitaly,
  /usr/lib/gitlab/gitaly/bin/gitaly      px -> /usr/lib/gitlab/gitaly/bin/gitaly//gitaly,
  /usr/lib/gitlab/gitaly/bin/gitaly-ssh                     px -> /usr/lib/gitlab/gitaly/bin/gitaly//gitaly-ssh,
  /usr/lib/gitlab/gitaly/bin/gitaly-ssh  px -> /usr/lib/gitlab/gitaly/bin/gitaly//gitaly-ssh,

  /usr/lib/git/git                         px -> /gitlab//git,
  /bin/ps                                  px -> /usr/lib/gitlab/gitaly/bin/gitaly//ps,
  /usr/bin/du                              px -> /usr/lib/gitlab/gitaly/bin/gitaly//du,

  signal (send) peer=/usr/lib/gitlab/gitaly/bin/gitaly//*,
  signal (send) peer=/gitlab//git,

  profile bundle flags=(complain) {
     include <abstractions/base>
     include <abstractions/ruby-modern>

     /usr/bin/ruby.ruby2.? px -> /usr/lib/gitlab/gitaly/bin/gitaly//ruby,

     /usr/bin/git-linguist.* px -> /usr/lib/gitlab/gitaly/bin/gitaly//git-linguist,

     /usr/lib/gitlab/gitaly/** r,
     /usr/lib/gitlab/gitaly/bin/gitaly-ruby px -> /usr/lib/gitlab/gitaly/bin/gitaly//gitaly-ruby,

     signal (receive) peer=/usr/lib/gitlab/gitaly/bin/gitaly,
  }

  profile git-linguist flags=(complain) {
    include <abstractions/gitaly>
    include <abstractions/ruby-modern>

     owner @{GITLAB_BASEDIR}/** rw,
    /usr/bin/git-linguist.* r,
    /usr/lib/git/git                         px -> /gitlab//git,

    signal (receive) peer=/usr/lib/gitlab/gitaly/bin/gitaly,
  }
  profile ruby flags=(complain) {
    include <abstractions/gitaly>
    include <abstractions/ruby-modern>

    owner /tmp/gitaly-linguist-* rwlk,
  }
  profile ruby-cd flags=(complain) {
    include <abstractions/gitaly>
    include <abstractions/ruby-modern>
  }
  profile gitaly-ruby flags=(complain) {
    include <abstractions/gitaly>
    include <abstractions/ruby-modern>

    owner @{GITLAB_BASEDIR}/** rwlk,
    @{GITLAB_APP_DIR}/REVISION r,
    owner @{GITLAB_PRIVATE_SOCKET_DIR}/gitaly/socket.* rwlk,

    /proc/sys/net/core/somaxconn r,

    signal (receive) peer=/usr/lib/gitlab/gitaly/bin/gitaly,

    /usr/lib/git/git                         px -> /gitlab//git,
  }
  profile gitaly flags=(complain) {
     include <abstractions/base>
  }
  profile gitaly-ssh flags=(complain) {
     include <abstractions/base>
  }

  profile du flags=(complain) {
     include <abstractions/base>

     /usr/bin/du rm,
     @{GITLAB_BASEDIR}/** r,
  }

  profile ps flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice>
    /{usr/,}bin/ps rm,
    /proc/sys/kernel/osrelease r,
    /proc/*/stat r,
    /proc/*/cmdline r,
    /proc/uptime r,
    /proc/sys/kernel/pid_max r,
    /proc/ r,
     ptrace,
  }
}

/usr/lib/gitlab/gitaly/git-hooks/gitlab-shell-hook flags=(complain) {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  /usr/lib/gitlab/gitaly/git-hooks/gitlab-shell-hook r,

  owner @{GITLAB_APP_DIR}/log/gitlab-shell.log rw,

  /bin/bash         rmpx -> /gitlab//bash,
  /usr/bin/dirname  rmcx -> dirname,
  /usr/bin/basename rmcx -> basename,
  /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/post-receive rcx -> post_receive,
  /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/pre-receive  rcx -> pre_receive,
  /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/update       rcx -> update,

  profile basename flags=(complain) {
    include <abstractions/base>

    /usr/bin/basename rm,
  }
  profile dirname flags=(complain) {
    include <abstractions/base>

    /usr/bin/dirname rm,
  }

  profile post_receive flags=(complain) {
    include <abstractions/ruby-modern>
    include <abstractions/gitlab-shell-hooks>
    /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/post-receive r,
  }
  profile pre_receive flags=(complain) {
    include <abstractions/ruby-modern>
    include <abstractions/gitlab-shell-hooks>
    /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/pre-receive r,
  }
  profile update flags=(complain) {
    include <abstractions/ruby-modern>
    include <abstractions/gitlab-shell-hooks>
    /usr/lib/gitlab/gitaly/{vendor/,}gitlab-shell/hooks/update r,
  }
}
