# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /etc/cron.daily/exim4-base
profile cron-exim4-base @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/authentication>
  include <abstractions/consoles>

  capability dac_read_search,
  capability setgid,
  capability setuid,
  capability audit_write,
  capability sys_ptrace,

  ptrace (read),

  network netlink raw,

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

  /{usr/,}bin/sed        rix,
  /{usr/,}bin/{,e}grep   rix,
  /{usr/,}bin/logger     rix,
  /{usr/,}bin/mail       rix,
  /{usr/,}bin/hostname   rix,
  /{usr/,}bin/xargs      rix,
  /{usr/,}bin/find       rix,
  /{usr/,}sbin/eximstats rix,

  /{usr/,}sbin/exim4     rPx,
  /{usr/,}sbin/exim_tidydb       rix,

  /{usr/,}sbin/start-stop-daemon rix,
  /{usr/,}sbin/runuser           rix,

  /etc/default/exim4 r,

  /var/spool/exim4/db/ r,
  /var/spool/exim4/db/* rwk,

        @{PROC}/ r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/1/limits r,

  /etc/security/limits.d/ r,

  include if exists <local/cron-exim4-base>
}