#include <tunables/global>

profile 3dprinter-octoprint flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  # Capabilities
  file,
  signal (send) set=(kill,term,int,hup,cont),

  # S6-Overlay
  /init ix,
  /bin/** ix,
  /usr/bin/** ix,
  /run/{s6,s6-rc*,service}/** ix,
  /package/** ix,
  /command/** ix,
  /etc/services.d/** rwix,
  /etc/cont-init.d/** rwix,
  /etc/cont-finish.d/** rwix,
  /run/{,**} rwk,
  /dev/tty rw,

  # Bashio
  /usr/lib/bashio/** ix,
  /tmp/** rwk,

  # Access to options.json and other files within your addon
  /data/** rw,

  # nginx
  /var/lib/nginx/** ix,
  /var/log/nginx/** rw,

  # Start new profile for service
  # /usr/bin/my_program cx -> my_program,

  # profile my_program flags=(attach_disconnected,mediate_deleted) {
  #   #include <abstractions/base>
  # 
  #   # Receive signals from S6-Overlay
  #   signal (receive) peer=*_example,
  # 
  #   # Access to options.json and other files within your addon
  #   /data/** rw,
  # 
  #   # Access to mapped volumes specified in config.json
  #   /share/** rw,
  # 
  #   # Access required for service functionality
  #   # Note: List was built by doing the following:
  #   # 1. Add what is obviously needed based on what is in the script
  #   # 2. Add `complain` as a flag to this profile temporarily and run the addon
  #   # 3. Review the audit log with `journalctl _TRANSPORT="audit" -g 'apparmor="ALLOWED"'` and add other access as needed
  #   # Remember to remove the `complain` flag when you are done
  #   # /usr/bin/my_program r,
  #   /bin/bash rix,
  #   /bin/echo ix,
  #   /etc/passwd r,
  #   /dev/tty rw,
  # }
}