# managed by salt - do not edit manually!

# AppArmor profile for elasticsearch 6.8
# vim: ft=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2017-2022 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

profile elasticsearch /usr/share/elasticsearch/bin/elasticsearch flags=(complain) {
  #include <abstractions/base>

  capability sys_ptrace,

  /dev/tty rw,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /usr/bin/basename Cx -> helper,
  /usr/bin/dirname Cx -> helper,
  /usr/bin/grep Cx -> helper,
  /usr/bin/which Cx -> helper,
  /usr/lib64/jvm/java-11-openjdk-11/bin/java Cx -> java,
  /usr/share/elasticsearch/ r,
  /usr/share/elasticsearch/bin/elasticsearch r,
  /usr/share/elasticsearch/bin/elasticsearch-env r,


  profile helper flags=(complain) {
    #include <abstractions/base>

    /usr/bin/basename mr,
    /usr/bin/dirname mr,
    /usr/bin/grep mr,
    /usr/bin/which mr,

  }

  profile java flags=(complain) {
    #include <abstractions/base>

    ptrace read peer=elasticsearch//ldconfig,

    /etc/elasticsearch/ r,
    /etc/elasticsearch/elasticsearch.yml r,
    /etc/elasticsearch/jvm.options r,
    /etc/elasticsearch/log4j2.properties r,
    /etc/elasticsearch/scripts/ r,
    /etc/host.conf r,
    /etc/hosts r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /proc/*/net/if_inet6 r,
    /proc/*/net/ipv6_route r,
    /proc/*/stat r,
    /proc/diskstats r,
    /proc/loadavg r,
    /proc/sys/kernel/core_pattern r,
    /proc/sys/kernel/pid_max r,
    /proc/sys/kernel/threads-max r,
    /proc/sys/net/core/somaxconn r,
    /proc/sys/vm/max_map_count r,
    /run/netconfig/resolv.conf r,
    /sbin/ldconfig Px -> elasticsearch//ldconfig,
    /sys/devices/system/cpu/offline r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.shares r,
    /sys/fs/cgroup/cpu,cpuacct/cpu.stat r,
    /sys/fs/cgroup/cpu,cpuacct/cpuacct.usage r,
    /sys/fs/cgroup/cpuset/cpuset.cpus r,
    /sys/fs/cgroup/cpuset/cpuset.mems r,
    /sys/fs/cgroup/memory/memory.limit_in_bytes r,
    /sys/fs/cgroup/memory/memory.max_usage_in_bytes r,
    /sys/fs/cgroup/memory/memory.soft_limit_in_bytes r,
    /sys/fs/cgroup/memory/memory.stat r,
    /sys/fs/cgroup/memory/memory.usage_in_bytes r,
    /sys/fs/cgroup/memory/memory.use_hierarchy r,
    /sys/kernel/mm/transparent_hugepage/defrag r,
    /sys/kernel/mm/transparent_hugepage/enabled r,
    /usr/lib64/jvm/java-11-openjdk-11/bin/java mr,
    /usr/share/elasticsearch/ r,
    /usr/share/elasticsearch/lib/ r,
    /usr/share/elasticsearch/lib/*.jar r,
    /usr/share/elasticsearch/modules/ r,
    /usr/share/elasticsearch/modules/*/ r,
    /usr/share/elasticsearch/modules/*/*.jar r,
    /usr/share/elasticsearch/modules/*/*.policy r,
    /usr/share/elasticsearch/modules/*/*.properties r,
    /usr/share/elasticsearch/modules/percolator/*.jar r,
    /usr/share/elasticsearch/plugins/ r,
    /var/lib/ca-certificates/java-cacerts r,
    owner /etc/elasticsearch/elasticsearch.keystore rw,
    owner /etc/elasticsearch/elasticsearch.keystore.tmp rw,
    owner /proc/*/ r,
    owner /proc/*/cgroup r,
    owner /proc/*/coredump_filter rw,
    owner /proc/*/fd/ r,
    owner /proc/*/mountinfo r,
    owner /proc/*/mounts r,
    owner /run/elasticsearch/elasticsearch.pid w,
    owner /tmp/elasticsearch-*/ w,
    owner /tmp/elasticsearch-*/*.tmp w,
    owner /tmp/hs_err_pid*.log rw,
    owner /tmp/hsperfdata_elasticsearch/ rw,
    owner /tmp/hsperfdata_elasticsearch/* rw,
    owner /var/lib/elasticsearch/.cache/ w,
    owner /var/lib/elasticsearch/.cache/JNA/ w,
    owner /var/lib/elasticsearch/.cache/JNA/temp/ rw,
    owner /var/lib/elasticsearch/.cache/JNA/temp/*.tmp mrw,
    owner /var/lib/elasticsearch/nodes/ w,
    owner /var/lib/elasticsearch/nodes/0/ w,
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file w,
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file.final w,
    owner /var/lib/elasticsearch/nodes/0/.es_temp_file.tmp rw,
    owner /var/lib/elasticsearch/nodes/0/_state/ rw,
    owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st rw,
    owner /var/lib/elasticsearch/nodes/0/_state/global-[0-9].st.tmp rw,
    owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st rw,
    owner /var/lib/elasticsearch/nodes/0/_state/node-[0-9].st.tmp rw,
    owner /var/lib/elasticsearch/nodes/0/indices/ rw,
    owner /var/lib/elasticsearch/nodes/0/indices/** rwk,
    owner /var/lib/elasticsearch/nodes/0/node.lock wk,
    owner /var/log/elasticsearch/elasticsearch.log rw,
    owner /var/log/elasticsearch/elasticsearch_deprecation.log rw,
    owner /var/log/elasticsearch/elasticsearch_index_indexing_slowlog.log rw,
    owner /var/log/elasticsearch/elasticsearch_index_search_slowlog.log rw,
    owner /var/log/elasticsearch/loggc rw,
    owner /var/log/elasticsearch/loggc.*[0-9] w,

  }

  profile ldconfig flags=(complain) {
    #include <abstractions/base>

    /sbin/ldconfig mr,

  }
}