# Last Modified: Fri Nov  6 16:46:34 2015
#include <tunables/global>

# ------------------------------------------------------------------
#
#   Copyright (C) 2013 Canonical Ltd.
#
#   This program is free software; you can redistribute it and/or
#   modify it under the terms of version 2 of the GNU General Public
#   License published by the Free Software Foundation.
#
#   Author: Jonathan Davies <jonathan.davies@canonical.com>
#
# ------------------------------------------------------------------


/usr/lib/ipsec/charon {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <local/usr.lib.ipsec.charon>

  capability net_admin,
  capability net_raw,

  network packet dgram,
  network raw,

  /bin/dash mrPUx,
  /etc/ipsec.*.secrets r,
  /etc/ipsec.conf r,
  /etc/ipsec.d/ r,
  /etc/ipsec.d/** r,
  /etc/ipsec.secrets r,
  /etc/strongswan.conf r,
  /etc/strongswan.d/ r,
  /etc/strongswan.d/** r,
  /etc/tnc_config r,
  /proc/sys/net/core/xfrm_acq_expires w,
  /run/charon.* rw,
  /tmp/charon.log a,
  /usr/lib/ipsec/charon mrix,
  /usr/lib/ipsec/imcvs/ r,
  /usr/lib/ipsec/imcvs/** mr,
  /var/log/charon.log rw,

}