# Last Modified: Sun Nov 5 23:14:38 2023 include ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /usr/bin/systemcheck flags=(attach_disconnected) { include include include include include include include include include include capability audit_write, capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability kill, capability net_admin, capability setgid, capability setuid, capability sys_admin, capability sys_module, capability sys_ptrace, capability sys_rawio, capability sys_resource, capability sys_time, capability syslog, signal send peer=@{profile_name}, signal send peer=unconfined, signal, ptrace trace peer=@{profile_name}, ptrace trace peer=unconfined, ptrace, deny /etc/fstab r, / r, /dev/ r, /dev/kmsg r, /dev/mem r, /dev/null rw, /dev/pts/[0-9]* rw, /dev/tty rw, /etc/apparmor.d/ r, /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/* r, /etc/apt/preferences.d/ r, /etc/apt/preferences.d/* r, /etc/apt/sources.list r, /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/* r, /etc/apt/trusted.gpg r, /etc/apt/trusted.gpg.d/ r, /etc/apt/trusted.gpg.d/* r, /etc/dbus-1/session.d/ r, /etc/dbus-1/session.d/** r, /etc/default/nss r, /etc/default/rcS r, /etc/default/sdwdate r, /etc/dpkg/dpkg.cfg r, /etc/dpkg/dpkg.cfg.d/ r, /etc/dpkg/dpkg.cfg.d/** r, /etc/gai.conf r, /etc/group r, /etc/host.conf r, /etc/hosts r, /etc/kicksecure_version r, /etc/ld.so.cache r, /etc/localtime r, /etc/login.defs r, /etc/machine-id r, /etc/nsswitch.conf r, /etc/pam.d/* r, /etc/passwd r, /etc/perl/sitecustomize.pl r, /etc/python*/sitecustomize.py r, /etc/resolv.conf r, /etc/sdwdate.d/ r, /etc/sdwdate.d/* r, /etc/security/capability.conf r, /etc/services r, /etc/shadow r, /etc/ssl/certs/ca-certificates.crt r, /etc/ssl/openssl.cnf r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/ r, /etc/sudoers.d/* r, /etc/systemcheck.d/ r, /etc/systemcheck.d/* r, /etc/timezone r, /etc/tor/** r, /etc/torrc.d/ r, /etc/torrc.d/* r, /etc/uwt.d/ r, /etc/uwt.d/** r, /etc/whonix_version r, /lib/*-linux-gnu/** mr, /lib/*/security/** mr, /lib/security/* mr, /run/log/journal/ r, /run/log/journal/** r, /run/msgcollector/ rwk, /run/msgcollector/** rwk, /run/onion-grater/pid r, /run/qubes-whonix/ r, /run/qubes-whonix/qubes.SetDateTime r, /run/resolvconf/resolv.conf r, /run/sdwdate r, /run/sdwdate/ rw, /run/sdwdate/* rw, /run/sudo/ts/systemcheck rw, /run/systemcheck/** mrwcx, /run/tor/control.authcookie r, /run/tor/log r, /run/tor/tor.pid r, /run/utmp rk, /sbin/getcap rix, /sbin/ifconfig rix, /sbin/start-stop-daemon rix, /sys/bus/pci/devices/ r, /sys/bus/pci/slots/ r, /sys/devices/*/net/*/carrier r, /sys/devices/pci0000:00/** r, /sys/devices/system/clocksource/clocksource0/available_clocksource r, /sys/devices/system/clocksource/clocksource0/current_clocksource r, /sys/devices/virtual/dmi/id/** r, /sys/firmware/devicetree/base/hypervisor/compatible r, /sys/fs/cgroup/cpuset/cgroup.clone_children rw, /sys/fs/cgroup/freezer/cgroup.procs rw, /sys/fs/cgroup/freezer/user/debian-tor/ rw, /sys/fs/cgroup/freezer/user/debian-tor/** rw, /sys/fs/cgroup/freezer/user/root/ rw, /sys/fs/cgroup/freezer/user/root/** rw, /sys/fs/cgroup/freezer/user/root/0/cgroup.procs rw, /sys/fs/cgroup/freezer/user/systemcheck/ rw, /sys/fs/cgroup/freezer/user/systemcheck/** rw, /sys/fs/cgroup/memory/cgroup.procs rw, /sys/fs/cgroup/memory/user/debian-tor/ rw, /sys/fs/cgroup/memory/user/debian-tor/** rw, /sys/fs/cgroup/memory/user/root/ rw, /sys/fs/cgroup/memory/user/root/** rw, /sys/fs/cgroup/memory/user/root/0/cgroup.procs rw, /sys/fs/cgroup/memory/user/systemcheck/ rw, /sys/fs/cgroup/memory/user/systemcheck/0/ rw, /sys/fs/cgroup/memory/user/systemcheck/0/** rw, /sys/fs/cgroup/systemd/cgroup.procs mrwcx, /sys/fs/cgroup/systemd/system.slice/whonix-firewall.service/ r, /sys/fs/cgroup/systemd/system.slice/whonix-firewall.service/** r, /sys/fs/cgroup/systemd/user/ rw, /sys/fs/cgroup/systemd/user/debian-tor/ rw, /sys/fs/cgroup/systemd/user/debian-tor/** rw, /sys/fs/cgroup/systemd/user/root/ rw, /sys/fs/cgroup/systemd/user/root/** rw, /sys/fs/cgroup/systemd/user/root/0/cgroup.procs rw, /sys/fs/cgroup/systemd/user/systemcheck/ rw, /sys/fs/cgroup/systemd/user/systemcheck/** rw, /sys/hypervisor/properties/features r, /sys/hypervisor/type r, /tmp/** rwlcix, /usr/bin/apt-get rix, /usr/bin/check-dfsg-status r, /usr/bin/check-dfsg-status ux, /usr/bin/curl rix, /usr/bin/setsid mrix, /usr/lib/*-linux-gnu/security/** mr, /usr/lib/apt/methods/* rix, /usr/lib/python*/** mrl, /usr/lib/python*/__pycache__/ rw, /usr/lib/python*/__pycache__/** rw, /usr/lib/sudo/sudoers.so mr, /usr/lib/torsocks/* mr, /usr/libexec/helper-scripts/ r, /usr/libexec/helper-scripts/* rix, /usr/libexec/helper-scripts/curl_exit_codes rix, /usr/libexec/helper-scripts/onion-time-pre-script rUx, /usr/libexec/msgcollector/ r, /usr/libexec/msgcollector/* rix, /usr/libexec/security-misc/apt-get-update rUx, /usr/libexec/systemcheck/ r, /usr/libexec/systemcheck/** rix, /usr/libexec/uwt/uwtexec rix, /usr/libexec/uwt/uwtwrapper rix, /usr/local/etc/torrc.d/ r, /usr/local/etc/torrc.d/* r, /usr/sbin/anondate rix, /usr/sbin/apparmor-info rix, /usr/sbin/getcap rix, /usr/sbin/pam-tmpdir-helper mrix, /usr/sbin/tor rix, /usr/share/** r, /usr/share/tor/** r, /var/cache/apt/ r, /var/cache/apt/* rw, /var/lib/anon-dist/build_version r, /var/lib/apt/extended_states r, /var/lib/apt/lists/ r, /var/lib/apt/lists/** rwk, /var/lib/canary/canary-unixtime.txt r, /var/lib/canary/canary_last_done r, /var/lib/dist-base-files/build_version r, /var/lib/dpkg/** rwk, /var/lib/dpkg/lock r, /var/lib/systemcheck/** rw, /var/lib/tor/** r, /var/log/apt/** rw, /var/log/journal/ r, /var/log/journal/** r, /var/log/tor/log r, /{,usr/}bin/awk rix, /{,usr/}bin/basename rix, /{,usr/}bin/bash rix, /{,usr/}bin/bsdtar rix, /{,usr/}bin/cat rix, /{,usr/}bin/chmod rix, /{,usr/}bin/chown rix, /{,usr/}bin/cp rix, /{,usr/}bin/dash rix, /{,usr/}bin/date rix, /{,usr/}bin/dbus-daemon rix, /{,usr/}bin/diff rix, /{,usr/}bin/dirname rix, /{,usr/}bin/dmesg rix, /{,usr/}bin/dpkg rix, /{,usr/}bin/dpkg-query rix, /{,usr/}bin/echo rix, /{,usr/}bin/env rix, /{,usr/}bin/fuser rix, /{,usr/}bin/gawk rix, /{,usr/}bin/gdbus rix, /{,usr/}bin/getopt rix, /{,usr/}bin/gpg rix, /{,usr/}bin/gpgv rix, /{,usr/}bin/grep rix, /{,usr/}bin/hardened-malloc-type-test rix, /{,usr/}bin/head rix, /{,usr/}bin/hostname rix, /{,usr/}bin/id rix, /{,usr/}bin/install rix, /{,usr/}bin/journalctl rix, /{,usr/}bin/lspci rix, /{,usr/}bin/mawk rix, /{,usr/}bin/mkdir rix, /{,usr/}bin/mkfifo rix, /{,usr/}bin/mktemp rix, /{,usr/}bin/od rix, /{,usr/}bin/pgrep rix, /{,usr/}bin/ps rix, /{,usr/}bin/pstree rix, /{,usr/}bin/python* rix, /{,usr/}bin/qubesdb-cmd rix, /{,usr/}bin/qubesdb-read rix, /{,usr/}bin/readlink rix, /{,usr/}bin/rm rix, /{,usr/}bin/run-parts rix, /{,usr/}bin/sdwdate rix, /{,usr/}bin/sed rix, /{,usr/}bin/sleep rix, /{,usr/}bin/sort rix, /{,usr/}bin/spectre-meltdown-checker cux, /{,usr/}bin/stat rix, /{,usr/}bin/sudo rix, /{,usr/}bin/sync rix, /{,usr/}bin/systemcheck r, /{,usr/}bin/systemctl rix, /{,usr/}bin/systemd* rix, /{,usr/}bin/systemd-detect-virt rix, /{,usr/}bin/tail rix, /{,usr/}bin/tar rix, /{,usr/}bin/tee rix, /{,usr/}bin/test rix, /{,usr/}bin/timedatectl rix, /{,usr/}bin/timeout rix, /{,usr/}bin/tor rix, /{,usr/}bin/torsocks rix, /{,usr/}bin/touch rix, /{,usr/}bin/tput rix, /{,usr/}bin/tr rix, /{,usr/}bin/tty rix, /{,usr/}bin/uname rix, /{,usr/}bin/uuidgen rix, /{,usr/}bin/uwt rix, /{,usr/}bin/vrms rix, /{,usr/}bin/which rix, /{,usr/}bin/whoami rix, /{,usr/}bin/wmctrl rix, /{,usr/}bin/xz rix, /{,usr/}bin/zenity rix, /{,var/}run/tor/** r, @{HOME}/ r, @{HOME}/.msgcollector rwk, @{HOME}/.msgcollector/** rwk, @{HOME}/tor-browser_en-US/Docs/sources/versions r, @{HOME}/tor-browser_en-US/Docs/version r, @{PROC} r, @{PROC}/*/cmdline r, @{PROC}/*/mountinfo r, @{PROC}/[0-9]*/cgroup r, @{PROC}/[0-9]*/comm r, @{PROC}/[0-9]*/environ r, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/net/** r, @{PROC}/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/[0-9]*/task/ r, @{PROC}/[0-9]*/task/** r, @{PROC}/[0-9]/sched r, @{PROC}/cmdline r, @{PROC}/swaps r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/entropy_avail r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/net/ipv4/ip_forward r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @{PROC}/xen/capabilities r, owner /etc/security/limits.conf r, owner /etc/security/limits.d/** r, owner /proc/*/limits r, owner /proc/sys/kernel/seccomp/actions_avail r, owner /run/sudo/ts/user rw, owner /sys/firmware/dmi/entries/** r, owner /usr/lib/python*/** mrwl, owner /usr/libexec/sudo/libsudo_util.so.* mr, owner /usr/libexec/sudo/sudoers.so mr, owner /{,var/}run/utmp rwk, }