# This file is part of the Solr package for openSUSE
# Copyright (c) 2024 Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>

abi <abi/3.0>,

include <tunables/global>

@{SOLR_BASE}=/opt/solr-9.6.0

profile solr @{SOLR_BASE}/bin/solr {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>

  deny / r,

  ptrace read peer=solr//awk,
  ptrace read peer=solr//java,
  ptrace read peer=solr//lsof,

  /{,usr/}bin/ps Cx -> ps,
  /usr/bin/gawk Cx -> awk,
  /usr/bin/lsof Cx -> lsof,

  /usr/lib64/jvm/java-{17,20,21,22}-openjdk-{17,20,21,22}/bin/java cx -> java,

  /usr/bin/{bash,cat,dirname,find,grep,head,mkdir,nohup,rm,sed,sleep,sort,tail,tr,uname,wc} ix,

  /dev/tty rw,

  @{PROC}/sys/kernel/random/{entropy_avail,poolsize} r,

  @{SOLR_BASE}/bin/solr r,
  @{etc_ro}/default/solr.in.sh r,

  owner /run/solr/ r,
  owner /run/solr/solr-[0-9]*.pid rw,
  owner /var/log/solr/solr-[0-9]*-console.log w,


  profile awk flags=(attach_disconnected) {
    include <abstractions/base>

    /usr/bin/gawk mr,

  }


  profile lsof flags=(attach_disconnected) {
    include <abstractions/base>

    deny / r,

    capability sys_ptrace,

    ptrace read peer=solr,
    ptrace read peer=solr//java,

    /usr/bin/lsof mr,

    /dev/null r,

    @{PROC}/locks r,
    @{PROC}/ r,
    @{PROC}/[0-9]*/net/{if_inet6,netlink,packet,{raw,sockstat,tcp,udp,udplite}{,6},unix} r,
    @{PROC}/[0-9]*/stat r,
    owner @{PROC}/[0-9]*/fd/ r,
  }


  profile ps {
    include <abstractions/base>
    include <abstractions/nameservice>

    ptrace read peer=solr,
    ptrace read peer=solr//awk,
    ptrace read peer=solr//lsof,
    ptrace read peer=solr//java,
    ptrace read peer=unconfined,

    /{,usr/}bin/ps mr,

    /dev/tty r,

    @{PROC}/ r,
    @{PROC}/[0-9]*/{cmdline,stat} r,
    @{PROC}/sys/kernel/{osrelease,pid_max} r,
    @{PROC}/tty/drivers r,
    @{PROC}/uptime r,

  }


  profile java flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/user-tmp>

    deny / r,
    deny @{SOLR_BASE}/lib/README.md r,

    ptrace read peer=solr//lsof,
    ptrace read peer=solr//ps,

    # peer=unconfined is systemd
    signal (receive) set=(exists) peer=unconfined,
    signal (receive) set=(rtmin+30) peer=solr//java,

    /usr/lib64/jvm/java-{17,20,21,22}-openjdk-{17,20,21,22}/bin/java mr,

    @{PROC}/ r,
    @{PROC}/[0-9]*/net/{if_inet6,netlink,packet,{raw,sockstat,tcp,udp,udplite}{,6},unix} r,
    @{PROC}/[0-9]*/{cmdline,{,task/[0-9]*/}stat} r,
    @{PROC}/sys/crypto/fips_enabled r,
    @{PROC}/sys/vm/overcommit_memory r,
    @{PROC}/{cgroups,cpuinfo,filesystems,loadavg,locks,meminfo,stat} r,

    owner @{PROC}/*/coredump_filter rw,
    owner @{PROC}/[0-9]*/fd/ r,
    owner @{PROC}/[0-9]*/fdinfo/[0-9]* r,
    owner @{PROC}/[0-9]*/{auxv,cgroup,mountinfo,stat} r,

    /sys/devices/system/cpu/{,online} r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.{cfs_{period,quota}_us,shares} r,
    /sys/fs/cgroup/cpuset/cpuset.cpus r,
    /sys/fs/cgroup/memory/memory.{limit_in_bytes,memsw.limit_in_bytes,stat,swappiness,usage_in_bytes,use_hierarchy} r,
    /sys/kernel/mm/hugepages/ r,
    /sys/kernel/mm/transparent_hugepage/{enabled,hpage_pmd_size} r,

    @{etc_ro}/ld.so.cache r,
    @{etc_ro}/opt/solr/security.json r,
    @{etc_ro}/opt/solr/solr.xml r,

    @{SOLR_BASE}/bin/solr r,
    @{SOLR_BASE}/lib/ r,
    @{SOLR_BASE}/modules/*/lib/{,*.jar} r,
    @{SOLR_BASE}/server/contexts/{,solr-jetty-context.xml} r,
    @{SOLR_BASE}/server/lib/{,*.jar,ext/{,*.jar}} r,
    @{SOLR_BASE}/server/modules/{,{gzip,http,https,requestlog,server,ssl{,-reload}}.mod} r,
    @{SOLR_BASE}/server/resources/{,log4j2.xml} r,
    @{SOLR_BASE}/server/solr-webapp/webapp/WEB-INF/{web.xml,lib/{,*.jar}} r,
    @{SOLR_BASE}/server/solr-webapp/webapp/{index,error404,partials/*}.html r,
    @{SOLR_BASE}/server/solr-webapp/webapp/img/{favicon.ico,**.{gif,png,svg}} r,
    @{SOLR_BASE}/server/solr-webapp/webapp/css/angular/*.css r,
    @{SOLR_BASE}/server/solr-webapp/webapp/{js/angular,libs}/**.js r,
    @{SOLR_BASE}/server/start.jar r,
    @{SOLR_BASE}/server@{etc_ro}/security.{policy,properties} r,
    @{SOLR_BASE}/server@{etc_ro}/{jetty{,-{gzip,http,requestlog}},webdefault}.xml r,

    /var/lib/ca-certificates/java-cacerts r,

    owner /var/log/solr/ r,
    owner /var/log/solr/[0-9][0-9][0-9][0-9]_[0-9][0-9]_[0-9][0-9].request.log w,
    owner /var/log/solr/jvm_crash_[0-9]* rw,
    owner /var/log/solr/solr-[0-9]*-console.log w,
    owner /var/log/solr/solr.log{,.[0-9]*} rw,
    owner /var/log/solr/solr_gc.log rw,
    owner /var/log/solr/solr_gc.log.[0-9]* w,
    owner /var/log/solr/solr_slow_requests.log rw,

    /var/opt/solr/*/conf/{,*.{json,txt,xml},lang/{,*.txt},xslt/{,*.xsl}} rw,
    owner /var/opt/solr/ r,
    owner /var/opt/solr/*/core.properties rw,
    owner /var/opt/solr/*/data/{index,tlog}/* rw,
    owner /var/opt/solr/*/data/index/write.lock wk,
    owner /var/opt/solr/*/{,data/{,index/,snapshot_metadata/,tlog/}} rw,

  }


  include if exists <local/solr>

}
