# Last Modified: Sun Nov 5 23:14:38 2023
include <tunables/global>
## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
/usr/bin/systemcheck flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bash>
include <abstractions/dbus-session>
include <abstractions/dbus>
include <abstractions/fonts>
include <abstractions/tor-circuit-established-check>
include <abstractions/tor>
include <abstractions/totem>
include <abstractions/ubuntu-konsole>
include <local/usr.bin.systemcheck>
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_module,
capability sys_ptrace,
capability sys_rawio,
capability sys_resource,
capability sys_time,
capability syslog,
signal send peer=@{profile_name},
signal send peer=unconfined,
signal,
ptrace trace peer=@{profile_name},
ptrace trace peer=unconfined,
ptrace,
deny /etc/fstab r,
/ r,
/dev/ r,
/dev/kmsg r,
/dev/mem r,
/dev/null rw,
/dev/pts/[0-9]* rw,
/dev/tty rw,
/etc/adduser.conf r,
/etc/apparmor.d/ r,
/etc/apt/apt.conf.d/ r,
/etc/apt/apt.conf.d/* r,
/etc/apt/preferences.d/ r,
/etc/apt/preferences.d/* r,
/etc/apt/sources.list r,
/etc/apt/sources.list.d/ r,
/etc/apt/sources.list.d/* r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/ r,
/etc/apt/trusted.gpg.d/* r,
/etc/dbus-1/session.d/ r,
/etc/dbus-1/session.d/** r,
/etc/default/nss r,
/etc/default/rcS r,
/etc/default/sdwdate r,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/ r,
/etc/dpkg/dpkg.cfg.d/** r,
/etc/gai.conf r,
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
/etc/kicksecure_version r,
/etc/ld.so.cache r,
/etc/lightdm/** r,
/etc/localtime r,
/etc/login.defs r,
/etc/machine-id r,
/etc/nsswitch.conf r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/perl/sitecustomize.pl r,
/etc/privleap/** r,
/etc/python*/sitecustomize.py r,
/etc/resolv.conf r,
/etc/safe-rm.conf r,
/usr/local/etc/safe-rm.conf r,
/etc/sdwdate.d/ r,
/etc/sdwdate.d/* r,
/etc/security/capability.conf r,
/etc/services r,
/etc/shadow r,
/etc/ssl/certs/ca-certificates.crt r,
/etc/ssl/openssl.cnf r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/etc/systemcheck.d/ r,
/etc/systemcheck.d/* r,
/etc/timezone r,
/etc/tor/** r,
/etc/torrc.d/ r,
/etc/torrc.d/* r,
/etc/user-sysmaint-split.conf.d/* r,
/etc/uwt.d/ r,
/etc/uwt.d/** r,
/etc/whonix_version r,
/etc/X11/default-display-manager r,
/lib/*-linux-gnu/** mr,
/lib/*/security/** mr,
/lib/security/* mr,
/run/privleapd/pid r,
/run/log/journal/ r,
/run/log/journal/** r,
/run/*/[0-9]*/msgcollector/ rwk,
/run/*/[0-9]*/msgcollector/** rwk,
/run/onion-grater/pid r,
/run/qubes-whonix/ r,
/run/qubes-whonix/qubes.SetDateTime r,
/run/resolvconf/resolv.conf r,
/run/sdwdate r,
/run/sdwdate/ rw,
/run/sdwdate/* rw,
/run/sudo/** rw,
/run/systemcheck/** mrwcx,
/run/tor/control.authcookie r,
/run/tor/log r,
/run/tor/tor.pid r,
/run/utmp rk,
/usr/bin/safe-rm rix,
/usr/bin/stecho rix,
/usr/sbin/getcap rix,
/usr/sbin/ifconfig rix,
/usr/sbin/start-stop-daemon rix,
/sys/bus/pci/devices/ r,
/sys/bus/pci/slots/ r,
/sys/devices/*/net/*/carrier r,
/sys/devices/pci0000:00/** r,
/sys/devices/system/clocksource/clocksource0/available_clocksource r,
/sys/devices/system/clocksource/clocksource0/current_clocksource r,
/sys/devices/virtual/dmi/id/** r,
/sys/firmware/devicetree/base/hypervisor/compatible r,
/sys/fs/cgroup/cpuset/cgroup.clone_children rw,
/sys/fs/cgroup/freezer/cgroup.procs rw,
/sys/fs/cgroup/freezer/user/debian-tor/ rw,
/sys/fs/cgroup/freezer/user/debian-tor/** rw,
/sys/fs/cgroup/freezer/user/root/ rw,
/sys/fs/cgroup/freezer/user/root/** rw,
/sys/fs/cgroup/freezer/user/root/0/cgroup.procs rw,
/sys/fs/cgroup/freezer/user/systemcheck/ rw,
/sys/fs/cgroup/freezer/user/systemcheck/** rw,
/sys/fs/cgroup/memory/cgroup.procs rw,
/sys/fs/cgroup/memory/user/debian-tor/ rw,
/sys/fs/cgroup/memory/user/debian-tor/** rw,
/sys/fs/cgroup/memory/user/root/ rw,
/sys/fs/cgroup/memory/user/root/** rw,
/sys/fs/cgroup/memory/user/root/0/cgroup.procs rw,
/sys/fs/cgroup/memory/user/systemcheck/ rw,
/sys/fs/cgroup/memory/user/systemcheck/0/ rw,
/sys/fs/cgroup/memory/user/systemcheck/0/** rw,
/sys/fs/cgroup/systemd/cgroup.procs mrwcx,
/sys/fs/cgroup/systemd/system.slice/whonix-firewall.service/ r,
/sys/fs/cgroup/systemd/system.slice/whonix-firewall.service/** r,
/sys/fs/cgroup/systemd/user/ rw,
/sys/fs/cgroup/systemd/user/debian-tor/ rw,
/sys/fs/cgroup/systemd/user/debian-tor/** rw,
/sys/fs/cgroup/systemd/user/root/ rw,
/sys/fs/cgroup/systemd/user/root/** rw,
/sys/fs/cgroup/systemd/user/root/0/cgroup.procs rw,
/sys/fs/cgroup/systemd/user/systemcheck/ rw,
/sys/fs/cgroup/systemd/user/systemcheck/** rw,
/sys/hypervisor/properties/features r,
/sys/hypervisor/type r,
/tmp/** rwlcix,
/usr/bin/apt-get rix,
/usr/bin/check-dfsg-status r,
/usr/bin/check-dfsg-status ux,
/usr/bin/curl rix,
/usr/bin/setsid mrix,
/usr/lib/*-linux-gnu/security/** mr,
/usr/lib/apt/methods/* rix,
/usr/lib/python*/** mrl,
/usr/lib/python*/__pycache__/ rw,
/usr/lib/python*/__pycache__/** rw,
/usr/lib/sudo/sudoers.so mr,
/usr/lib/torsocks/* mr,
/usr/libexec/helper-scripts/ r,
/usr/libexec/helper-scripts/* rix,
/usr/libexec/helper-scripts/curl_exit_codes rix,
/usr/libexec/helper-scripts/onion-time-pre-script rUx,
/usr/libexec/msgcollector/ r,
/usr/libexec/msgcollector/* rix,
/usr/libexec/security-misc/apt-get-update rUx,
/usr/libexec/systemcheck/ r,
/usr/libexec/systemcheck/** rix,
/usr/libexec/user-sysmaint-split/sysmaint-boot rix,
/usr/libexec/uwt/uwtexec rix,
/usr/libexec/uwt/uwtwrapper rix,
/usr/local/etc/torrc.d/ r,
/usr/local/etc/torrc.d/* r,
/usr/sbin/autologinchange rix,
/usr/sbin/anondate rix,
/usr/sbin/apparmor-info rix,
/usr/sbin/pam-tmpdir-helper mrix,
/usr/sbin/tor rix,
/usr/share/** r,
/usr/share/tor/** r,
/var/cache/apt/ r,
/var/cache/apt/* rw,
/var/lib/anon-dist/build_version r,
/var/lib/apt/extended_states r,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/** rwk,
/var/lib/canary/canary-unixtime.txt r,
/var/lib/canary/canary_last_done r,
/var/lib/dist-base-files/build_version r,
/var/lib/dpkg/** rwk,
/var/lib/dpkg/lock r,
/var/lib/systemcheck/** rw,
/var/lib/tor/** r,
/var/log/apt/** rw,
/var/log/journal/ r,
/var/log/journal/** r,
/var/log/tor/log r,
/{,usr/}bin/accountctl rix,
/{,usr/}bin/awk rix,
/{,usr/}bin/basename rix,
/{,usr/}bin/bash rix,
/{,usr/}bin/bsdtar rix,
/{,usr/}bin/cat rix,
/{,usr/}bin/chmod rix,
/{,usr/}bin/chown rix,
/{,usr/}bin/cp rix,
/{,usr/}bin/cut rix,
/{,usr/}bin/dash rix,
/{,usr/}bin/date rix,
/{,usr/}bin/dbus-daemon rix,
/{,usr/}bin/diff rix,
/{,usr/}bin/dirname rix,
/{,usr/}bin/dmesg rix,
/{,usr/}bin/dpkg rix,
/{,usr/}bin/dpkg-query rix,
/{,usr/}bin/echo rix,
/{,usr/}bin/env rix,
/{,usr/}bin/fuser rix,
/{,usr/}bin/gawk rix,
/{,usr/}bin/gdbus rix,
/{,usr/}bin/getopt rix,
/{,usr/}bin/gpg rix,
/{,usr/}bin/gpgv rix,
/{,usr/}bin/grep rix,
/{,usr/}bin/hardened-malloc-type-test rix,
/{,usr/}bin/head rix,
/{,usr/}bin/hostname rix,
/{,usr/}bin/id rix,
/{,usr/}bin/install rix,
/{,usr/}bin/journalctl rix,
/{,usr/}bin/leaprun rix,
/{,usr/}bin/privleapd rix,
/{,usr/}bin/lspci rix,
/{,usr/}bin/mawk rix,
/{,usr/}bin/mkdir rix,
/{,usr/}bin/mkfifo rix,
/{,usr/}bin/mktemp rix,
/{,usr/}bin/od rix,
/{,usr/}bin/pgrep rix,
/{,usr/}bin/ps rix,
/{,usr/}bin/pstree rix,
/{,usr/}bin/python* rix,
/{,usr/}bin/qubesdb-cmd rix,
/{,usr/}bin/qubesdb-read rix,
/{,usr/}bin/readlink rix,
/{,usr/}bin/rm rix,
/{,usr/}bin/run-parts rix,
/{,usr/}bin/sdwdate rix,
/{,usr/}bin/sed rix,
/{,usr/}bin/sleep rix,
/{,usr/}bin/sort rix,
/{,usr/}bin/spectre-meltdown-checker cux,
/{,usr/}bin/stat rix,
/{,usr/}bin/sudo rix,
/{,usr/}bin/sync rix,
/{,usr/}bin/systemcheck r,
/{,usr/}bin/systemctl rix,
/{,usr/}bin/systemd* rix,
/{,usr/}bin/systemd-detect-virt rix,
/{,usr/}bin/tail rix,
/{,usr/}bin/tar rix,
/{,usr/}bin/tee rix,
/{,usr/}bin/test rix,
/{,usr/}bin/timedatectl rix,
/{,usr/}bin/timeout rix,
/{,usr/}bin/tor rix,
/{,usr/}bin/torsocks rix,
/{,usr/}bin/touch rix,
/{,usr/}bin/tput rix,
/{,usr/}bin/tr rix,
/{,usr/}bin/tty rix,
/{,usr/}bin/uname rix,
/{,usr/}bin/uuidgen rix,
/{,usr/}bin/uwt rix,
/{,usr/}bin/vrms rix,
/{,usr/}bin/which rix,
/{,usr/}bin/whoami rix,
/{,usr/}bin/wmctrl rix,
/{,usr/}bin/xz rix,
/{,usr/}bin/zenity rix,
/{,var/}run/tor/** r,
@{HOME}/ r,
@{HOME}/.msgcollector rwk,
@{HOME}/.msgcollector/** rwk,
@{HOME}/tor-browser_en-US/Docs/sources/versions r,
@{HOME}/tor-browser_en-US/Docs/version r,
@{HOME}/.config/safe-rm r,
@{HOME}/.sudo_as_admin_successful rw,
@{PROC} r,
@{PROC}/*/cmdline r,
@{PROC}/*/mountinfo r,
@{PROC}/[0-9]*/cgroup r,
@{PROC}/[0-9]*/comm r,
@{PROC}/[0-9]*/environ r,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/net/** r,
@{PROC}/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/task/ r,
@{PROC}/[0-9]*/task/** r,
@{PROC}/[0-9]/sched r,
@{PROC}/cmdline r,
@{PROC}/swaps r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/kernel/pid_max r,
@{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/net/ipv4/ip_forward r,
@{PROC}/tty/drivers r,
@{PROC}/uptime r,
@{PROC}/xen/capabilities r,
owner /etc/security/limits.conf r,
owner /etc/security/limits.d/** r,
owner /proc/*/limits r,
owner /proc/sys/kernel/seccomp/actions_avail r,
## TODO: Do we still need these exceptions when we have a /run/sudo/** rw exception above?
owner /run/sudo/ts/user rw,
owner /run/sudo/ts/systemcheck rw,
owner /sys/firmware/dmi/entries/** r,
owner /usr/lib/python*/** mrwl,
owner /usr/libexec/sudo/libsudo_util.so.* mr,
owner /usr/libexec/sudo/sudoers.so mr,
owner /{,var/}run/utmp rwk,
}