# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@strandboge.com>

#include <tunables/global>
/usr/sbin/asterisk flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability dac_override,
  capability dac_read_search,
  capability sys_nice,
  capability setuid,
  capability setgid,

  /lib/terminfo/** r,
  /etc/radiusclient-ng/* r,

  /sys/devices/system/cpu/ r,

  /root/.asterisk_history rw,
  /dev/zap/* rw,
  /dev/dahdi/* rw,

  /etc/asterisk/** r,
  /usr/sbin/asterisk mr,

  # for realtime priority
  /usr/sbin/astcanary Pxr,

  # for ODBC
  /etc/odbc.ini r,
  /etc/odbcinst.ini r,
  /var/run/mysqld/mysqld.sock rw,
  /usr/share/mysql/charsets/Index.xml r,

  /usr/lib/asterisk/** mr,
  /usr/share/asterisk/** r,
  /usr/local/share/asterisk/** r,

  /var/lib/asterisk/ r,
  /var/lib/asterisk/** rw,
  /var/lib/asterisk/astdb.sqlite3 k,
  /var/lib/asterisk/*.db k,
  /var/log/asterisk/** rw,
  /var/run/asterisk/* rw,
  /var/spool/asterisk/** rwl,

  # for emailing voicemail
  /tmp/ r,
  /tmp/** rwk,
  /var/tmp/ r,
  /var/tmp/** rwk,
}

/usr/sbin/astcanary flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  /var/run/asterisk/alt.asterisk.canary.tweet.tweet.tweet rw,
}