#include <tunables/global>

profile haproxy /usr/sbin/haproxy {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>
  #include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability kill,
  capability sys_resource,
  capability sys_chroot,
  capability net_admin,

  # those are needed for the stats socket creation
  capability chown,
  capability fowner,
  capability fsetid,

  network inet,
  network inet6,

  /etc/haproxy/* r, 

  /usr/sbin/haproxy rmix,

  /dev/shm/haproxy_startup_logs_* rwlk,

  # old stats socket location, for compatibility
  /var/lib/haproxy/stats rwl,
  /var/lib/haproxy/stats.*.bak rwl,
  /var/lib/haproxy/stats.*.tmp rwl,
  # new stats socket location
  /run/haproxy/stats*.sock{,*.{bak,tmp}} rwl,

  /{,var/}run/haproxy/pid rw,
  /{,var/}run/haproxy/master.sock* rwlk,

  # This is for the additional debug output in haproxy >= 2.9
  # can be accessed with "p post_mortem" in gdb
  /sys/devices/system/node/ r,
  /sys/devices/system/node/*/cpumap r,
  /sys/devices/system/cpu/online r,
  /sys/class/dmi/id/sys_vendor r,
  /sys/class/dmi/id/product_family r,
  /sys/class/dmi/id/product_name r,
  /sys/class/dmi/id/board_vendor r,
  /sys/firmware/devicetree/base/model r,
  /sys/class/dmi/id/board_name r,
  /proc/2/status r,
  /proc/cpuinfo r,
  # end of debug.c files

  # Site-specific additions and overrides. See local/README for details.
  #include if exists <local/haproxy>
  #include if exists <local/usr.sbin.haproxy>
}