abi <abi/3.0>,

include <tunables/global>
include <dnsmanager>
include <boilerplate>

/usr/local/bin/dnsmanagerd flags=(enforce) {
  # See the file `boilerplate`.
  @{BASE_LIBS}   mr,
  @{BASE_RO}     r,
  @{BASE_RW}     rw,

  # Allow IPC-related unix sockets.
  owner @{LIBIPC_DIR}/*  rwk,

  # Enable all unix socket operations. TODO: restrict this even further?
  unix,

  # Deny networking (udp and tcp).
  deny network tcp,
  deny network udp,

  # Configuration and DNS templates.
  owner @{DNSMANAGERD_CONFIG}     r,
  owner @{DNSMANAGERD_TEMPLATES}  r,

  # Database and logs.
  owner @{DNSMANAGERD_DB_PATH}/**   rwkl,
  owner @{DNSMANAGERD_LOGS}         w,
}