# This file contains the roles as referenced by pam/mappings

#include <tunables/global>
#include <tunables/wg_system>

# By default, allow users to read, lock and link to their own files
# anywhere, but only write to files in their home directory. Only
# allow limited execution of files.

profile default_user {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability audit_write,
  capability chown,
  capability fsetid,
  deny capability sys_ptrace,

  / r,
  /** r,
  owner /** rwkl,

  /bin/** Pixmr,
  /lib{,32,64}/** mr,
  /run/shm/* mr,
  /tmp/* mr,
  /usr/bin/** Pixmr,
  /usr/lib/** mr,
  /var/tmp/* mr,

  owner @{HOME}/ mrwkl,
  owner @{HOME}/** mrwkl,
}

# Allow wg_support_user to read, lock and link to their own files
# anywhere, but only write to files in their home directory. Only
# allow limited execution of files, including execution of Dimension
# binaries and write access to network interface JSON configuration
# files.

profile wg_support_user {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability audit_write,
  capability chown,
  capability fsetid,
  capability net_raw,
  deny capability sys_ptrace,

  network raw,

  / r,
  /** r,
  owner /** rwkl,

  /bin/** Pixmr,
  /lib{,32,64}/** mr,
  /run/shm/* mr,
  /sbin/** Pixmr,
  /tmp/* mr,
  /usr/bin/** Pixmr,
  /usr/lib/** mr,
  /usr/sbin/** Pixmr,
  /var/tmp/* mr,

  owner @{HOME}/ mrwkl,
  owner @{HOME}/** mrwkl,

  @{WG_ETCDIR}/system/interface-eth*.json rw,
  @{WG_ETCDIR}/system/sshd.json rw,
  @{WG_BINDIR}/** Pixmr,
  @{WG_LIBDIR}/** mr,
}
