#include <tunables/global>
# {% for wiki in pillar['mediawiki']['wikis']|sort %}
profile magick-{{wiki}} flags=(complain) {
#include <abstractions/base>
#include <abstractions/fonts>
deny network inet stream,
deny /var/cache/fontconfig/ w,
/{usr/,}bin/bash mrix,
/dev/tty rw,
/etc/ImageMagick-7-SUSE/*.xml r,
/etc/nsswitch.conf r,
/etc/passwd r,
/proc/filesystems r,
/usr/bin/magick mr,
/usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/png.so mr,
/usr/lib64/ImageMagick-7.0.7/modules-7_Q16HDRI6/coders/svg.so mr,
owner /srv/www/{{wiki}}.opensuse.org/cache/l10n_cache-en.cdb r,
owner /srv/www/{{wiki}}.opensuse.org/public/?????? w,
owner /srv/www/{{wiki}}.opensuse.org/public/images/**.svg r,
owner /srv/www/{{wiki}}.opensuse.org/public/images/temp/transform_*.png rw,
owner /tmp/magick-* rw,
owner /var/lib/wwwrun/.cache/ w,
}
# {% endfor %}
# vim: ft=apparmor expandtab