# Last Modified: Mon May 12 10:41:07 2025
include <tunables/global>

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.


/usr/libexec/systemcheck/canary flags=(attach_disconnected) {
  include <abstractions/apache2-common>
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/python>
  include <local/usr.libexec.systemcheck.canary>

  deny /etc/ssl/openssl.cnf r,
  deny /sbin/** rwx,
  deny /{,usr/}bin/*-gnu-* rx,
  deny /{,usr/}bin/python3.9 r,
  deny /usr/libexec/systemcheck r,
  deny /usr/libexec/systemcheck/ r,

  /etc/group r,
  /etc/host.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/resolv.conf r,
  /etc/systemcheck.d/ r,
  /etc/systemcheck.d/** r,
  /etc/safe-rm.conf r,
  /etc/whonix.d/ r,
  /etc/whonix.d/** r,
  /run/sdwdate/success r,
  /run/desktop-config-dist/livecheck-lsblk r,
  /sys/devices/*/net/*/carrier r,
  /sys/devices/virtual/block/dm-0/dm/name r,
  /sys/devices/virtual/block/dm-1/dm/name r,
  /sys/devices/virtual/dmi/id/** r,
  /sys/firmware/devicetree/base/hypervisor/compatible r,
  /sys/hypervisor/properties/features r,
  /sys/hypervisor/type r,
  /usr/libexec/helper-scripts/light_sleep.bsh r,
  /usr/libexec/helper-scripts/live-mode.sh r,
  /usr/libexec/helper-scripts/systemd-notify.bsh r,
  /usr/libexec/helper-scripts/settings_echo rix,
  /usr/libexec/systemcheck/canary r,
  /usr/libexec/systemcheck/canary-download rix,
  /usr/libexec/systemcheck/canary-run-or-not rix,
  /usr/libexec/helper-scripts/get_writable_fs_lists.sh rix,
  /usr/local/etc/systemcheck.d/ r,
  /usr/local/etc/systemcheck.d/** r,
  /usr/local/etc/whonix.d/ r,
  /usr/local/etc/whonix.d/** r,
  /usr/share/keyrings/derivative.pub r,
  /var/lib/canary/ rw,
  /var/lib/canary/** rw,
  /{,usr/}bin/wc rix,
  /{,usr/}bin/sed rix,
  /{,usr/}bin/cat rix,
  /{,usr/}bin/date rix,
  /{,usr/}bin/grep rix,
  /{,usr/}bin/ls rix,
  /{,usr/}bin/mount rix,
  /{,usr/}bin/qubesdb-cmd rix,
  /{,usr/}bin/qubesdb-read rix,
  /{,usr/}bin/rm rix,
  /{,usr/}bin/safe-rm rix,
  /{,usr/}bin/sanitize-string rix,
  /{,usr/}bin/signify-openbsd rix,
  /{,usr/}bin/sleep rix,
  /{,usr/}bin/systemd-detect-virt rix,
  /{,usr/}bin/systemd-notify rix,
  /{,usr/}bin/tee rix,
  /{,usr/}bin/timeout rix,
  /{,usr/}bin/touch rix,
  /{,usr/}bin/whoami rix,
  @{PROC} r,
  @{PROC}/*/cmdline r,
  @{PROC}/*/mountinfo r,
  @{PROC}/1/sched r,
  @{PROC}/[0-9]*/fd/ r,
  owner @{PROC}/[0-9]*/fd/** rw,
  @{PROC}/[0-9]*/mounts r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/cmdline r,
  @{PROC}/filesystems r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/uuid r,
  owner /tmp/** mrw,

}