# This AppArmor profile is part of the powerdns-api-proxy package
# Georg Pfuetzenreuter <mail+apparmor@georg-pfuetzenreuter.net>

abi <abi/3.0>,

include <tunables/global>

profile powerdns-api-proxy flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/nameservice>

  network inet stream,
  network inet6 stream,

  unix (receive),

  deny / r,
  deny /usr/bin/ r,

  /usr/bin/uvicorn{,-3.{11,12,13}} mrix,
  /etc/powerdns-api-proxy.yaml r,

  /proc/@{pid}/{fd/,limits,stat} r,

  /usr/share/libalternatives/{,uvicorn/{,3{11,12,13}.conf}} r,

  include if exists <local/powerdns-api-proxy>
}
