#CAPABILITIES
  #ipc
    signal peer=@{profile_name},
  #network&sockets
    signal receive,
    network inet,
    network inet6,
    network netlink,
    unix create,

#UNIX_SPECIFIC
  #bin
    /usr/lib/x86_64-linux-gnu/** rix,
    /lib/x86_64-linux-gnu/** rix,
    /lib/x86_64-linux-gnu/libc-@{lib_version}.so rmix,
    #getent
      /lib/x86_64-linux-gnu/libnss_files-@{lib_version}.so mr,
      /lib/x86_64-linux-gnu/libnsl-@{lib_version}.so mr,
      /lib/x86_64-linux-gnu/libnss_nis-@{lib_version}.so mr,
      /lib/x86_64-linux-gnu/libnss_compat-@{lib_version}.so mr,
      /lib/x86_64-linux-gnu/ld-@{lib_version}.so r,
      /lib/x86_64-linux-gnu/libc-@{lib_version}.so mr,
  #lib
    /usr/lib/locale/locale-archive r,
    /usr/lib/os-release r,
  #run
    /run/resolvconf/resolv.conf r,
  #proc
    /proc/meminfo r,
    /proc/sys/kernel/hostname r,
    /proc/sys/vm/overcommit_memory r,
    /proc/sys/net/core/somaxconn r,
    owner /proc/@{pid}/oom_score_adj w,
    owner /proc/@{pid}/fd/*          r,
  #sys
    /sys/devices/system/cpu/online r,
    /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  #dev
    /dev/urandom r,
    /dev/random r,
    /dev/null rw,
  #locale
    /usr/lib/locale/ r,
    /usr/lib/locale/C.UTF-8/LC_COLLATE r,
    /usr/lib{,32,64}/locale/** mr,
  #timezones
    /usr/share/zoneinfo/ r,
    /usr/share/zoneinfo/** r,
  #etc
    deny /etc/ld.so.preload r,
    /etc/hosts r,
    /etc/host.conf r,
    /etc/resolv.conf r,
    /etc/gai.conf r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /etc/locale.alias r,
    /etc/ld.so.cache r,
    /etc/ssl/openssl.cnf r,
    /etc/services r,

#JAVA_SPECIFIC
#WAL-G SPECIFIC
# exec
    /bin/bash Cx -> postgres_bash,
    /bin/sh   Cx -> postgres_bash,
    profile postgres_bash flags=(complain) {
       #include <abstractions/ycommon>
       # network    
       deny network,

       # bin
       /bin/bash          rm,

       #ipc
       signal peer=@{profile_name},
       signal peer=postgres_wal_g,

       # dev
       /dev/urandom    r,
       /dev/random     r,
       /dev/tty        rw,

       # etc
       /etc/passwd         r,
       /etc/ld.so.cache    r,
       /etc/nsswitch.conf  r,
       /etc/locale.alias   r,

       # lib
       /lib/x86_64-linux-gnu/ld-@{lib_version}.so             rm,
       /lib/x86_64-linux-gnu/libc-@{lib_version}.so           rm,
       /lib/x86_64-linux-gnu/libdl-@{lib_version}.so          rm,
       /lib/x86_64-linux-gnu/libtinfo.so.@{lib_version}       rm,
       /lib/x86_64-linux-gnu/libnss_compat-@{lib_version}.so  rm,
       /lib/x86_64-linux-gnu/libnss_files-@{lib_version}.so   rm,
       /lib/x86_64-linux-gnu/libnss_nis-@{lib_version}.so     rm,
       /lib/x86_64-linux-gnu/libnsl-@{lib_version}.so         rm,
       /lib/x86_64-linux-gnu/librt-@{lib_version}.so          rm,
       /lib/x86_64-linux-gnu/libpthread-@{lib_version}.so     rm,

       # locale
       /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache  r,
       /usr/lib/locale/locale-archive                       r,
       /usr/lib/locale/                                     r,

       # var
       owner /var/lib/postgresql/*/** rw,
       owner /var/lib/postgresql/*/data/pg_wal/* l,

       # postgres via bash calls
       /bin/true            rix,
       /bin/false           rix,
       /usr/bin/timeout     rix,
       /usr/bin/locale      rix,
       # wal-g
       /usr/bin/wal-g       Px -> postgres_wal_g,
    }
    /bin/true ix,
    /dev/tty rw,
    /usr/bin/envdir rix,
    /usr/bin/locale rix,
    /usr/bin/getent rmix,

  #getent
    /usr/share/ca-certificates/**.crt r,
    /usr/local/share/ca-certificates/**.crt r,
    /etc/ssl/certs/ r,
    /etc/ssl/certs/ca-certificates.crt r,
    /etc/ssl/certs/ssl-cert-snakeoil.pem r,

#SERVICE_SPECIFIC
    / rw,
  #conf
    /etc/postgresql/*/data/pg_hba.conf r,
    /etc/postgresql/*/data/pg_ident.conf r,
    /etc/postgresql/*/data/postgresql.conf r,
  #libs
    /usr/lib/postgresql/*/lib/ r,
    /usr/lib/postgresql/*/lib/* rix,
    /usr/lib/libgeos-@{lib_version}.so mr,
    /usr/lib/libproj.so.@{lib_version} mr,
    /usr/lib/libgeos_c.so.@{lib_version} mr,
    /usr/lib/liblwgeom-@{lib_version}.so.@{lib_version} mr,
    /usr/lib/liburiparser.so.@{lib_version} mr,
    /usr/lib/libarpack.so.@{lib_version} mr,
    /usr/lib/lapack/liblapack.so.@{lib_version} mr,
    /usr/lib/libblas/libblas.so.@{lib_version} mr,
    /usr/lib/libogdi.so.@{lib_version} mr,
    /usr/lib/libdfalt.so.@{lib_version} mr,
    /usr/lib/libmfhdfalt.so.@{lib_version} mr,
    /usr/lib/libnetcdf.so.@{lib_version} mr,
    /usr/lib/libarmadillo.so.@{lib_version} mr,
    /usr/lib/libgdal.so.@{lib_version} mr,
    /usr/lib/llvm-7/lib/libc++.so.@{lib_version} mr,
    /usr/lib/llvm-7/lib/libc++abi.so.@{lib_version} mr,
  #logs
    /run/postgresql/** rw,
    /var/log/postgresql/postgresql* w,
  #tmp
    owner /tmp/x/base/@{num}/@{num} rw,
  #other
    #IPC
      /dev/shm/PostgreSQL.* rw,
      /dev/shm/pg_stat_tmp/ r,
      /dev/shm/pg_stat_tmp/*.tmp rw,
      /dev/shm/pg_stat_tmp/*.stat rw,
      /run/shm/pg_stat_tmp/ r,
      /run/shm/pg_stat_tmp/** rw,
      /run/shm/PostgreSQL.* rw,
    #BKI
      /usr/share/postgresql/*/sql_features.txt r,
      /usr/share/postgresql/*/postgres.description r,
      /usr/share/postgresql/*/postgres.shdescription r,
      /usr/share/postgresql/*/tsearch_data/unaccent.rules r,
    #Query compile
      /proc/cpuinfo r,
      /usr/lib/postgresql/*/lib/bitcode/** r,
    #Cartographic projection flter data
      /usr/share/proj/ r,
      /usr/share/proj/* r,
    #GDAL data
      /usr/share/gdal/ r,
      /usr/share/gdal/** r,
    #Cores
      /var/cores/* rw,
    #password file
      /var/lib/postgresql/.pgpass r,
      /var/lib/postgresql/.server-pgpass r,
    #SSL
      /etc/postgresql/ssl/server.crt r,
      /etc/postgresql/ssl/server.key r,
      /etc/postgresql/ssl/allCAs.pem r,
      /var/lib/postgresql/.postgresql/root.crt r,
    #timezones
      /usr/share/postgresql/timezonesets/Default r,
      /usr/share/postgresql/*/timezonesets/Default r,
    /usr/share/postgresql/*/extension/ r,
    /usr/share/postgresql/*/extension/** r,
    /usr/share/postgresql/*/tsearch_data/*.stop r,
    #Tmp socket for restore
      /var/lib/postgresql/.s.PGSQL.* rw,
    /var/lib/postgresql/*/** rw,
    /var/lib/postgresql/*/data/pg_wal/* l,
    /var/lib/libuuid/clock.txt w,
    #Oracle client
    /opt/oracle/instantclient_21/libclntsh.so.@{lib_version} mr,
    /opt/oracle/instantclient_21/libclntshcore.so.@{lib_version} mr,
    /opt/oracle/instantclient_21/libnnz21.so mr,
