# AppArmor profile for syncthing synchronization program
# Version of syncthing profiled: 1.27.6
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2019-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile syncthing /usr/bin/syncthing {
  include if exists <local/syncthing>
  include <abstractions/base>
  network unix stream,

  /usr/bin/syncthing rPx,

  # Networking
  include <abstractions/krathalans-networking>
  include <abstractions/ssl_certs>
  include <abstractions/ssl_keys>
  network netlink raw,
  network inet stream,
  network inet dgram,
  network inet6 stream,
  network inet6 dgram,
  /etc/ca-certificates/extracted/cadir/* r,
  /etc/iproute2/rt_tables r,
  @{PROC}/sys/net/core/somaxconn r,
  @{PROC}/@{pid}/net/route r,
  owner @{PROC}/@{pid}/cgroup r,
  /usr/bin/ip rix,

  # https://www.kernel.org/doc/Documentation/vm/transhuge.txt
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  
  # Probably for usage reporting?
  @{PROC}/sys/kernel/osrelease r,

  # Config
  owner @{HOME}/.config/syncthing/{,**} rwk,

  # Miscellaneous
  /etc/mime.types r,
  @{system_share_dirs}/mime/globs2 r, 
}
