abi <abi/4.0>,

include <tunables/global>

@{TMATE_WORK_DIR}=/run/tmate-ssh-server

profile tmate-ssh-server /usr/bin/tmate-ssh-server flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/consoles>
  include <abstractions/openssl>

  capability sys_chroot,
  capability sys_admin,
  capability setgid,
  capability setuid,

  /usr/bin/tmate-ssh-server rm,

  @{TMATE_WORK_DIR}/           rw,
  @{TMATE_WORK_DIR}/sessions/  rw,
  @{TMATE_WORK_DIR}/sessions/* rwlk,
  @{TMATE_WORK_DIR}/jail/      rw,

  /etc/libssh/libssh_server.config r,
  /etc/ssh/sshd_config r,

  /etc/tmate-ssh-server/keys/ r,
  /etc/tmate-ssh-server/keys/** r,
  deny /etc/ssh/ssh_host_* r,

  /usr/share/terminfo/   r,
  /usr/share/terminfo/** r,

  /etc/tmux.conf r,

  /dev/ptmx rw,

  include if exists <local/tmate-ssh-server>
}
