#include <tunables/global>

/usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>

  capability chown,
  capability dac_override,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,

  /etc/dnscrypt-proxy/** r,
  /usr/bin/dnscrypt-proxy mr,
  /var/cache/{private/,}dnscrypt-proxy/** rw,

  /tmp/*.tmp w,
  owner /tmp/*.tmp r,

  /run/systemd/notify rw,
  /lib/x86_64-linux-gnu/ld-*.so mr,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/core/somaxconn r,
  /etc/ld.so.cache r,
  /usr/local/lib/{@{multiarch}/,}libldns.so* mr,
  /usr/local/lib/{@{multiarch}/,}libsodium.so* mr,
}