#!/usr/bin/env bash
set -euo pipefail

if [[ ${EUID} -ne 0 ]]; then
  echo "Run as root: sudo ./install.sh" >&2
  exit 1
fi

if ! command -v apparmor_parser >/dev/null 2>&1; then
  echo "apparmor_parser is required but was not found" >&2
  exit 1
fi

repo_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
profile_dir="${repo_dir}/profiles"
target_dir="/etc/apparmor.d"

profiles=(
  "usr.bin.bwrap"
)

for profile in "${profiles[@]}"; do
  source="${profile_dir}/${profile}"
  target="${target_dir}/${profile}"

  if [[ ! -f "${source}" ]]; then
    echo "Missing profile template: ${source}" >&2
    exit 1
  fi

  install -m 0644 -o root -g root "${source}" "${target}"
  apparmor_parser -r "${target}"
  echo "Loaded ${target}"
done

echo "Targeted AppArmor user namespace profile installed."
echo "No sysctl settings were changed."