# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/exim4
profile exim4 @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mrix,

  /etc/email-addresses r,
  /etc/aliases r,

  /var/lib/exim4/config.autogenerated{,.tmp} r,

  /var/lib/dpkg/status r,
  /var/log/cron-apt/lastfullmessage r,
  /var/log/exim4/ w,
  /var/log/exim4/mainlog w,
  /var/log/exim4/paniclog w,
  /var/log/exim4/rejectlog w,
  /var/spool/exim4/ r,
  /var/spool/exim4/** rwk,

  owner /var/mail/* rwkl -> /var/mail/*,

  /tmp/#@{int} rw,

        @{run}/exim4/ r,
  owner @{run}/exim4/exim.pid rw,

  include if exists <local/exim4>
}