#include <tunables/global>

profile xiaomi_mi_scale flags=(attach_disconnected,mediate_deleted) {
    #include <abstractions/base>

    # Capabilities
    network,
    capability,
    file,

    # ###
    # included from https://github.com/edgexfoundry-holding/device-bluetooth-c/blob/main/docker-ble-policy
    # ###
    dbus (send, receive) bus=system peer=(name=org.bluez, label=unconfined),
    dbus (send, receive) bus=system interface=org.freedesktop.DBus peer=(label=unconfined),

    # ###
    # included from https://github.com/jdstrand/snapd/blob/4befc00e3318a3231e96b38b575bf6e637ddad6c/interfaces/builtin/bluez.go
    # ###
    dbus (receive, send)
      bus=system
      interface=org.bluez.*
      peer=(label=unconfined),
    dbus (receive, send)
      bus=system
      path=/org/bluez{,/**}
      interface=org.freedesktop.DBus.*
      peer=(label=unconfined),
    dbus (receive, send)
      bus=system
      path=/
      interface=org.freedesktop.DBus.*
      peer=(label=unconfined),


    # ###
    # included from https://developers.home-assistant.io/docs/add-ons/presentation#apparmor
    # ###
    signal (send) set=(kill,term,int,hup,cont),

    # Receive signals from S6-Overlay
    signal (send,receive) peer=*_xiaomi_mi_scale,

    # S6-Overlay
    /init ix,
    /bin/** ix,
    /usr/bin/** ix,
    /run/{s6,s6-rc*,service}/** ix,
    /package/** ix,
    /command/** ix,
    /etc/services.d/** rwix,
    /etc/cont-init.d/** rwix,
    /etc/cont-finish.d/** rwix,
    /run/{,**} rwk,
    /dev/tty rw,

    # Bashio
    /usr/lib/bashio/** ix,
    /tmp/** rwk,

    # Access to options.json and other files within your addon
    /data/** rw,

    # Access to mapped volumes specified in config.json
    /share/** rw,


    # ###
    # included from https://gist.github.com/disconnect3d/d578af68b09ab56db657854ec03879aa
    # (docker-default profile which would usually be used for this container)
    # ###
    signal (receive) peer=unconfined,
    signal (send,receive) peer=docker-default,

    deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
    # deny write to files not in /proc/<number>/** or /proc/sys/**
    deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
    deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
    deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
    deny @{PROC}/sysrq-trigger rwklx,
    deny @{PROC}/kcore rwklx,

    deny mount,

    deny /sys/[^f]*/** wklx,
    deny /sys/f[^s]*/** wklx,
    deny /sys/fs/[^c]*/** wklx,
    deny /sys/fs/c[^g]*/** wklx,
    deny /sys/fs/cg[^r]*/** wklx,
    deny /sys/firmware/** rwklx,
    deny /sys/kernel/security/** rwklx,


    # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
    ptrace (trace,read) peer=docker-default,
}