abi <abi/4.0>,

include <tunables/global>

profile nginx /usr/sbin/nginx flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/perl>
  include <abstractions/ssl_certs>

  capability chown,
  capability setuid,
  capability setgid,
  # opening log files and /var/lib/nginx/ files/directories while we are still root
  capability dac_override,
  capability dac_read_search,
  capability sys_ptrace,

  /etc/nginx/** r,

  /usr/lib{64,}/nginx/modules/*.so rm,

  /{var/,}run/nginx.pid rwlk,

  /var/lib/nginx/   rw,
  /var/lib/nginx/** rwlk,

  /var/log/nginx/** rwlk,

  /srv/www/** r,

  # seems from uname() in src/os/unix/ngx_linux_init.c
  /proc/sys/kernel/osrelease r,
  /proc/1/environ r,
  /proc/cmdline r,

  include if exists <local/usr.sbin.nginx>
  include if exists <local/nginx>
}
