# Last Modified: Mon Jul  1 18:27:51 2024
abi <abi/3.0>,

include <tunables/global>

/usr/bin/wsdd {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/python>
  include <abstractions/ssl_certs>

  # wsdd can create its own chroot as a built-in security mechanism.
  # This is used by default in the systemd wsdd-server service.
  capability sys_chroot,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

  deny /etc/passwd r,
  deny /run/systemd/userdb/ r,

  # It's a python script
  /usr/bin/env mrix,
  /{,usr/}bin/python3.{1,}[0-9] mrix,
  /usr/bin/wsdd r,

  # Create a unix socket to comunicate with other processes.
  # The location of the socket can be specified in the cmdline,
  # but allowing that would mean granting R/W access to the whole
  # filesystem. Let's limit ourselves to $XDG_RUNTIME_DIR, which
  # is where GNOME's gvfsd instructs wsdd to create the socket.
  owner /run/user/[0-9]*/** rw,

  # Misc networking
  /etc/iproute2/group r,
  /etc/machine-id r,
  /etc/nsswitch.conf r,
  /run/netns/ r,
  /usr/bin/ip mrix,
  /usr/sbin/ifconfig mrix,

}
