#include <tunables/global>

profile pulse-sensor-proxy /opt/pulse/sensor-proxy/bin/pulse-sensor-proxy flags=(attach_disconnected,mediate_deleted) {
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability setgid,
  capability setuid,
  
  network inet stream,
  network inet6 stream,
  network unix stream,
  deny network raw,

  @{PROC}/@{pid}/fd/** r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/@{pid}/status r,

  /opt/pulse/sensor-proxy/bin/pulse-sensor-proxy mr,
  /opt/pulse/sensor-proxy/bin/* mr,
  /opt/pulse/sensor-proxy/.ssh/** rwk,
  /opt/pulse/sensor-proxy/etc/** r,
  /opt/pulse/sensor-proxy/** r,
  /var/log/pulse/sensor-proxy/** rw,
  /run/pulse-sensor-proxy/** rw,

  /etc/hosts r,
  /etc/hostname r,
  /etc/resolv.conf r,
  /etc/pulse-sensor-proxy/** r,

  /usr/bin/ssh mr,
  /usr/bin/socat mr,
  /usr/bin/sensors mr,
  /usr/sbin/ipmitool mr,
  /bin/bash mr,
  /bin/sh mr,
  /bin/cat mr,
  /bin/echo mr,
  /usr/bin/tee mr,

  /usr/lib/** mr,
  /lib/** mr,

  deny /etc/shadow rwl,
  deny /root/** rwxl,

  ptrace (read) peer=pulse-sensor-proxy,

  signal (receive) set=(hup term int usr1 usr2),
  signal (send) set=(term) peer=pulse-sensor-proxy,

  /usr/bin/ssh ixr,
  /usr/bin/sensors ixr,
  /usr/sbin/ipmitool ixr,
  /bin/sh ixr,
  /bin/cat ixr,
  /bin/echo ixr,
  /usr/bin/tee ixr,

  deny mount,
  deny ptrace,
  deny sys_module,
  deny sys_rawio,
  deny sys_admin,

  @{HOME}/.cache/** rw,

  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/user-tmp>
}