#include <tunables/global>

profile mcp-python {
  #include <abstractions/base>
  #include <abstractions/python>

  # Python interpreter access
  /usr/bin/python3.12 mr,
  /app/.venv/bin/python3.12 mr,
  /app/.venv/bin/python mr,
  
  # Python libraries
  /usr/lib/python3.12/** r,
  /app/.venv/lib/python3.12/** r,
  
  # Sandbox directory access
  /app/sandbox/python/** rw,
  /app/data/** r,
  
  # Temporary directory access
  /app/temp/** rw,
  /tmp/** rw,
  
  # Allow Python to read its necessary files
  /etc/passwd r,
  /etc/group r,
  
  # Deny network access
  deny network inet,
  deny network inet6,
  
  # Deny access to sensitive directories 
  deny @{HOME}/** rwx,
  deny /mnt/** rwx,
  deny /media/** rwx,
  deny /run/** rwx,
  deny /proc/** rwx,
  deny /sys/** rwx,
  deny /dev/** rwx,
  deny /var/** rwx,
  deny /etc/shadow rwx,
  deny /root/** rwx,
} 