#include <tunables/global>

profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/python>

  network,
  deny network raw,

  signal (send) set=(kill,term),

  /bin/busybox ix,
  /usr/bin/python{,3,3.[0-9]} ix,
  /usr/bin/git cx,
  /usr/bin/socat cx,
  /usr/bin/gdbus cx,

  deny /proc/** wl,
  deny /root/** wl,
  deny /sys/** wl,

  /** r,
  /data/** rw,
  /{,var/}run/docker.sock rw,

  capability net_bind_service,

  profile /usr/bin/socat flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>

    network inet udp,
    network inet tcp,

    deny network raw,
    deny network packet,

    signal (receive) set=(kill,term),
    capability net_bind_service,

    /lib/* mr,
    /usr/bin/socat mr,
  }

  profile /usr/bin/gdbus flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>
    #include <abstractions/dbus>

    unix (send, receive) type=stream,

    /usr/bin/gdbus mr,
    /lib/* mr,
    /{,var/}run/dbus/system_bus_socket rw,
  }

  profile /usr/bin/git flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>

    network,
    deny network raw,

    /bin/busybox ix,
    /usr/bin/git mr,
    /usr/libexec/git-core/* ix,

    deny /data/homeassistant rw,
    deny /data/ssl rw,

    /** r,
    /lib/* mr,
    /data/addons/** lrw,

    capability dac_override,
  }
}