#include <tunables/global>

profile addon_samba_nas flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/mdns>
  #include <abstractions/samba>
  #include <abstractions/smbpass>
  #include <abstractions/winbind>
  #include <abstractions/bash>

  
  capability,
  file,
  signal (send) set=(kill,term,int,hup,cont),
  mount,
  umount,
  remount,

  capability setgid,
  capability setuid,
  capability sys_admin, 
  capability dac_read_search, 
  capability sys_rawio,
  capability sys_resource,
  # capability dac_override,

# Networks
  network udp,
  network tcp,
  network dgram,
  network stream,
  network inet,
  network inet6,
  network netlink raw,
  network unix dgram,

# S6-Overlay
  /init ix,
  /bin/** ix,
  /usr/bin/** ix,
  /run/{s6,s6-rc*,service}/** ix,
  /package/** ix,
  /command/** ix,
  /etc/services.d/** rwix,
  /etc/cont-init.d/** rwix,
  /etc/cont-finish.d/** rwix,
  /run/{,**} rwk,
 # /dev/tty rw,
 
  # Files required
  /dev/** mrwkl,
  /tmp/** mrkwl,
  
  # Bashio
  /usr/lib/bashio/** ix,
  /tmp/** rwk,

  # Data access
  /data/** rw, 

  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read) peer=docker-default,
 
  # docker daemon confinement requires explict allow rule for signal
  signal (receive) set=(kill,term) peer=/usr/bin/docker,

}