  include <abstractions/base>
  ## include <abstractions/nameservice>
  include <abstractions/ssl_certs>

  /dev/tty r,

  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  /etc/machine-id r,

  owner /proc/@{pid}/cpuset r,
  owner /proc/@{pid}/mounts r,
  owner /proc/@{pid}/cgroup r,

  /proc/@{pid}/net/dev r,

  /proc/cmdline r,
  /proc/version r,
  /proc/loadavg r,
  /proc/vmstat  r,


  /sys/devices/virtual/block/*/stat r,
  /sys/devices/system/cpu/cpufreq/*/cpuinfo_max_freq r,

  /proc/sys/kernel/osrelease r,
  /proc/sys/net/core/somaxconn r,
  /proc/sys/kernel/threads-max r,
  /sys/devices/virtual/dmi/id/product_uuid r,

  /usr/sbin/minio rm,

  /etc/minio/ r,
  /etc/minio/** r,

  /{usr/,}etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/group r,
  /etc/resolv.conf r,
  /etc/host.conf r,
  /etc/gai.conf r,
  /etc/hosts r,

  /etc/mime.types r,

  network inet dgram,  # probably dns resolving
  network inet6 dgram, # probably dns resolving
  network netlink raw, # more name resolving

  network inet stream,
  network inet6 stream,

  # for binding to 443
  capability net_bind_service,
