# Last Modified: Thu Sep 23 15:22:11 2021
#include <tunables/global>

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.


/usr/bin/sdwdate flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/python>
  #include <abstractions/url_to_unixtime>
  #include <local/usr.bin.sdwdate>

  capability sys_time,

  signal receive set=cont,
  signal receive set=term,
  signal send set=term peer=/usr/bin/sdwdate//null-/usr/bin/url_to_unixtime,

  deny /usr/sbin/ldconfig rx,

  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
  /etc/sdwdate.d/ r,
  /etc/sdwdate.d/** r,
  /etc/tor/ r,
  /etc/tor/** r,
  /run/tor/control.authcookie r,
  /tmp/* mrw,
  /tmp/** mrw,
  /usr/lib/python3/dist-packages/sdwdate/timesanitycheck.py rix,
  /usr/libexec/helper-scripts/ r,
  /usr/libexec/helper-scripts/** r,
  /usr/libexec/helper-scripts/onion-time-pre-script rix,
  /usr/libexec/helper-scripts/settings_echo mrix,
  /usr/libexec/helper-scripts/tor_bootstrap_check.bsh mrix,
  /usr/libexec/helper-scripts/tor_bootstrap_check.py mrix,
  /usr/libexec/helper-scripts/tor_consensus_valid-after.py mrix,
  /usr/libexec/helper-scripts/tor_consensus_valid-until.py mrix,
  /usr/libexec/sdwdate/sclockadj rix,
  /usr/sbin/anondate-get rUx,
  /usr/share/timesanitycheck/minimum_unixtime r,
  /usr/share/tor/tor-service-defaults-torrc r,
  /usr/share/tor/tor-service-defaults-torrc.anondist r,
  /usr/share/translations/sdwdate.yaml r,
  /var/lib/sdwdate/ rw,
  /var/lib/sdwdate/time-replay-protection-utc-humanreadable rw,
  /var/lib/sdwdate/time-replay-protection-utc-unixtime rw,
  /{,usr/local/}etc/torrc.d/ r,
  /{,usr/local/}etc/torrc.d/** r,
  /{,usr/}bin/ r,
  /{,usr/}bin/bash ix,
  /{,usr/}bin/cat mrix,
  /{,usr/}bin/dash mrix,
  /{,usr/}bin/date mrix,
  /{,usr/}bin/minimum-unixtime-show rix,
  /{,usr/}bin/mktemp mrix,
  /{,usr/}bin/ps rix,
  /{,usr/}bin/python3.9 rix,
  /{,usr/}bin/qubesdb-cmd rix,
  /{,usr/}bin/qubesdb-read rix,
  /{,usr/}bin/rm mrix,
  /{,usr/}bin/sdwdate r,
  /{,usr/}bin/sleep rix,
  /{,usr/}bin/timeout mrix,
  /{,usr/}bin/timesanitycheck rix,
  /{,usr/}bin/tor-circuit-established-check rix,
  /{,usr/}bin/uname rix,
  /{,usr/}bin/whoami rix,
  /{,usr/}bin/id rix,
  /{,usr/}bin/touch mrix,
  @{PROC}/ r,
  @{PROC}/*/stat r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/uptime r,
  @{PROC}/uptime r,
  ## TODO: 'owner' keyword needed?
  ## Was breaking 'touch /run/sdwdate/onion-time-script-after-boot'? (As run by onion-time-pre-script.)
  ## https://forums.whonix.org/t/sdwdate-broken-on-virtualbox-whonix/12800/2
  /run/sdwdate/ rw,
  /run/sdwdate/** rw,
  /run/anondate/ rw,
  /run/anondate/** rw,
  deny /var/lib/sdwdate-forbidden-temp/** mrwlk,
  owner /usr/lib/python3/dist-packages/sdwdate/__pycache__/ rw,
  owner /usr/lib/python3/dist-packages/sdwdate/__pycache__/** rw,
  owner @{PROC}/*/fd/ r,
  owner @{PROC}/*/mounts r,
  owner @{PROC}/*/status r,

}