#include <tunables/global>

profile mcp-bash {
  #include <abstractions/base>
  #include <abstractions/bash>

  # Basic permissions
  /bin/bash mr,
  /usr/bin/bash mr,
  /bin/dash mr,
  /usr/bin/dash mr,
  
  # Basic commands we allow
  /bin/ls mr,
  /usr/bin/ls mr,
  /bin/cat mr,
  /usr/bin/cat mr,
  /bin/grep mr,
  /usr/bin/grep mr,
  /bin/echo mr,
  /usr/bin/echo mr,
  /bin/mkdir mr,
  /usr/bin/mkdir mr,
  /bin/touch mr,
  /usr/bin/touch mr,
  /bin/pwd mr,
  /usr/bin/pwd mr,
  /bin/find mr,
  /usr/bin/find mr,
  
  # Sandbox directory access
  /app/sandbox/bash/** rw,
  /app/data/** r,
  
  # Temporary directory access
  /app/temp/** rw,
  /tmp/** rw,
  
  # Common files
  /etc/passwd r,
  /etc/group r,
  
  # Deny network access
  deny network inet,
  deny network inet6,
  
  # Deny file system outside specific directories
  deny @{HOME}/** rwx,
  deny /mnt/** rwx,
  deny /media/** rwx,
  deny /run/** rwx,
  deny /proc/** rwx,
  deny /sys/** rwx,
  deny /dev/** rwx,
  deny /var/** rwx,
  deny /etc/shadow rwx,
  deny /root/** rwx,
} 