#include <tunables/global>

profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/python>

  network,
  deny network raw,

  /bin/busybox ix,
  /usr/bin/python{,3,3.[0-9]} ix,
  /usr/bin/git cx,
  /usr/bin/socat cx,
  /usr/bin/gdbus cx,

  deny /bin/** wl,
  deny /boot/** wl,
  deny /etc/** wl,
  deny /home/** wl,
  deny /lib/** wl,
  deny /mnt/** wl,
  deny /proc/** wl,
  deny /root/** wl,
  deny /sbin/** wl,
  deny /tmp/** wl,
  deny /sys/** wl,
  deny /usr/** wl,
  /** r,

  /data/** rw,
  /var/run/docker.sock rw,

  profile /usr/bin/socat {
    #include <abstractions/base>

    network inet udp,
    network inet tcp,

    deny network raw,
    deny network packet,

    /usr/bin/socat mr,
  }

  profile /usr/bin/gdbus {
    #include <abstractions/base>
    #include <abstractions/dbus>

    /usr/bin/gdbus mr,
    /var/run/dbus/system_bus_socket rw,
  }

  profile /usr/bin/git {
    #include <abstractions/base>

    network,
    deny network raw,

    /usr/bin/git mr,
    /usr/libexec/git-core/* ix,
    /usr/share/git-core/** r,
    /lib/* mr,

    /data/addons/** rw,
  }
}