# ------------------------------------------------------------------
#
#    Copyright (C) 2022 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/4.0>,

include <tunables/global>

profile zgrep /usr/bin/{x,}zgrep {
  include <abstractions/base>
  include <abstractions/bash>

  /dev/tty rw,
  @{etc_ro}/nsswitch.conf  r,
  /etc/passwd r,
  /usr/bin/{ba,da,}sh ix,
  /usr/bin/bzip2 Cx -> helper,
  /usr/bin/cat ix,
  /usr/bin/egrep Cx -> helper,
  /usr/bin/expr ix,
  /usr/bin/fgrep Cx -> helper,
  /usr/bin/grep Cx -> helper,
  /usr/bin/gzip Cx -> helper,
  /usr/bin/mktemp ix,
  /usr/bin/rm ix,
  /usr/bin/sed Cx -> sed,
  /usr/bin/xz Cx -> helper,
  /usr/bin/xzgrep r,
  /usr/bin/zgrep Cx -> helper,
  /usr/bin/zstd Cx -> helper,
  owner /tmp/zgrep* rw,
  /usr/bin/zgrep r,

  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,

  include if exists <local/zgrep>

  profile helper {
    include <abstractions/base>

    capability dac_override,
    capability dac_read_search,

    /dev/tty w,

    /usr/bin/{ba,da,}sh ix,
    /usr/bin/bzip2 mr,
    /usr/bin/grep mrix,
    /usr/bin/gzip mr,
    /usr/bin/xz mr,
    /usr/bin/zstd mr,
    /{,**} r,

  }

  profile sed {
    include <abstractions/base>

    /dev/tty rw,
    /usr/bin/{ba,da,}sh ix,
    /usr/bin/sed mr,

  }
}