// Network/IOT Security Profile
// For embedded devices and IoT with minimal resources and strict isolation

profile "NetworkIOT" {
  version "1.0"
  description "Strict isolation with minimal resources for embedded devices"

  // Isolation settings (strict for IoT security)
  isolation {
    level "Strict"  // Mount + PID + network + IPC namespaces

    namespaces {
      mount true
      pid true
      network true
      ipc true
      user false
      uts true
    }
  }

  // Desktop integration (disabled for headless)
  desktop {
    integration false
    themes false
    fonts false
    clipboard false
    dbus false
  }

  // Network access (minimal for IoT)
  network {
    access "Minimal"
    restrictions [
      "no_local_network"
      "whitelist_only"
    ]
    allow_local_network false
    whitelist [
      "mqtt.example.com"
      "api.example.com"
    ]
  }

  // Resource limits (minimal for embedded)
  resources {
    max_memory "512MB"
    max_cpu 0.5
    max_disk "256MB"
    max_processes 20
    max_open_files 128
  }

  // XDG enforcement (strict)
  xdg {
    enforce true
    redirect_legacy true
    strict_mode true
  }

  // Security settings (maximum for IoT)
  security {
    allow_system_units false
    audit_logging "Full"
    network_namespace true
    filesystem_isolation true
    read_only_root true
  }

  // Default packages for IoT
  recommended_packages [
    "busybox"
    "mosquitto"
  ]
}