  profile nextcloud flags=(attach_disconnected) {
    include <abstractions/php-fpm>

    /var/log/nextcloud/nextcloud.log rwlk,

    /srv/www/vhosts/nextcloud/public/ r,
    /srv/www/vhosts/nextcloud/public/** r,
    /srv/www/vhosts/nextcloud/public/config/config.php k,
    /srv/www/vhosts/nextcloud/public/config/*.config.php k,
    /srv/www/vhosts/nextcloud/data/**   rwlk,
    owner /srv/www/vhosts/nextcloud/tmp/      r,
    /srv/www/vhosts/nextcloud/tmp/**    rwlk,
    owner /srv/www/vhosts/nextcloud/sessions/ r,
    owner /srv/www/vhosts/nextcloud/sessions/** rwlk,

    # required for sending emails seems to ignore the tmp dir setting in the pool
    owner /tmp/** rwlk,

    deny /{usr/,}bin/bash rx,
    ###
    # include snippets provides e.g. by plugin directories
    #
    # We use the directory layout for abstraction includes in AppArmor 3
    #
    include if exists <php-fpm.d/nextcloud.d>
    #
    # allow admins to add snippets as well.
    #
    include if exists <local/php-fpm.d/nextcloud.d>
    #
    ###
  }
