abi <abi/3.0>,

include <tunables/global>
include <dnsmanager>
include <boilerplate>

/usr/local/bin/authd flags=(enforce) {
  # See the file `boilerplate`.
  @{BASE_LIBS}   mr,
  @{BASE_RO}     r,
  @{BASE_RW}     rw,

  # Allow IPC-related unix sockets.
  owner @{LIBIPC_DIR}/*  rwk,

  # Enable all unix socket operations. TODO: restrict this even further?
  unix,

  # Deny networking (udp and tcp).
  deny network tcp,
  deny network udp,

  # Enable to read the configuration (and the database key).
  owner @{AUTHD_CONFIG} r,
  owner @{AUTHD_DB_KEY} r,

  # Database and logs.
  owner @{AUTHD_DB_PATH}/**   rwkl,
  owner @{AUTHD_LOGS}         w,

  # Enable authd to send mails.
  @{MAILER} ux,
}