{ config, lib, pkgs, ... }:
let
  cfg = config.security.apparmor;
in
with lib;
{
  imports = [
    (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
  ];

  options.security.apparmor.confineSUIDApplications = mkOption {
    type = types.bool;
    default = true;
    description = ''
      Install AppArmor profiles for commonly-used SUID application
      to mitigate potential privilege escalation attacks due to bugs
      in such applications.

      Currently available profiles: ping
    '';
  };

  config = mkIf (cfg.confineSUIDApplications) {
    security.apparmor.policies."bin/ping".profile = ''
      #include <tunables/global>
      /run/wrappers/wrappers.*/ping {
        #include <abstractions/base>
        #include <abstractions/consoles>
        #include <abstractions/nameservice>

        capability net_raw,
        capability setuid,
        network inet raw,

        ${getLib pkgs.stdenv.cc.cc}/lib/*.so* mr,
        ${getLib pkgs.stdenv.cc.libc}/lib/*.so* mr,
        ${getLib pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules r,
        ${getLib pkgs.glibcLocales}/lib/locale/locale-archive r,
        ${getLib pkgs.attr.out}/lib/libattr.so* mr,
        ${getLib pkgs.libcap.lib}/lib/libcap.so* mr,
        ${getLib pkgs.libcap_ng}/lib/libcap-ng.so* mr,
        ${getLib pkgs.libidn2}/lib/libidn2.so* mr,
        ${getLib pkgs.libunistring}/lib/libunistring.so* mr,
        ${getLib pkgs.nettle}/lib/libnettle.so* mr,

        #@{PROC}/@{pid}/environ r,
        /run/wrappers/wrappers.*/ping.real r,
        ${pkgs.iputils}/bin/ping mixr,

        #/etc/modules.conf r,

        ## Site-specific additions and overrides. See local/README for details.
        ##include <local/bin.ping>
      }
    '';
  };

}