abi <abi/3.0>,

include <tunables/global>

profile /matrix/synapse {
  include <abstractions/base>
  include <abstractions/python>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/python>
  include <abstractions/nameservice>

  capability net_bind_service,
  network inet  stream,
  network inet6 stream,

  /etc/matrix-synapse/** r,

  owner /var/lib/matrix-synapse/ r,
  owner /var/lib/matrix-synapse/** rwlk,
  owner /var/log/matrix-synapse/ r,
  owner /var/log/matrix-synapse/** rwlk,

  owner /{,var/}tmp/** rwlk,

  /etc/mime.types r,
  /usr/share/misc/magic* r,
  /etc/magic r,
  /usr/share/icu/*/icud*.dat r,

  /usr/lib/python3.[0-9]*/site-packages/pyparsing/__pycache__/ r,
  /usr/lib/python3.[0-9]*/site-packages/pyparsing/__pycache__/** r,
  deny /usr/lib/python3.*/site-packages/**/__pycache__/ w,
  deny /usr/lib/python3.*/site-packages/**/__pycache__/** w,

  @{PROC}/@{pid}/stat r,
  @{PROC}/@{pid}/limits r,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/@{pid}/fd/ r,

  deny /{usr/,}bin/bash rx,
  deny /sbin/ldconfig rx,
  deny /usr/bin/gcc* rx,
  deny /usr/bin/ld* rx,
  deny /usr/{bin,lib,libexec/git}/git rx,
  deny /usr/bin/uname rx,

  include if exists <local/matrix>
}
