## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

  ## {{ Whonix, Kicksecure, uwt, security-misc additions start here

  /etc/whonix.d/ r,
  /etc/whonix.d/* r,

  /etc/uwt.d/ r,
  /etc/uwt.d/* r,

  /etc/timezone.anondist r,

  /etc/dpkg/origins/kicksecure r,
  /etc/dpkg/origins/whonix r,

  /etc/resolv.conf.kicksecure r,
  /etc/resolv.conf.whonix r,

  ## uwt
  /{,usr/}bin/mkdir rix,
  /{,usr/}bin/readlink rix,
  /{,usr/}bin/bash rix,
  /{,usr/}bin/grep rix,

  ## uwt
  /usr/bin/whoami rix,
  /usr/bin/basename rix,
  /sbin/ifconfig rix,

  ## uwt
  /dev/tty rw,
  @{PROC}/[0-9]*/net/ r,
  @{PROC}/[0-9]*/net/** r,
  /usr/libexec/uwt/uwtexec rix,
  /usr/libexec/uwt/uwtwrapper rix,

  /usr/libexec/open-link-confirmation/open-link-confirmation rix,

  /usr/libexec/helper-scripts/apt-get-update-kill-helper rix,
  /usr/libexec/helper-scripts/apt-get-update-simulate rix,
  /usr/libexec/helper-scripts/pkg_manager_running_check rix,
  /usr/libexec/helper-scripts/tor_bootstrap_check.bsh rix,
  /usr/libexec/helper-scripts/tor_bootstrap_check.py rix,

  ## Cannot use:
  ## rPx
  ##
  ## AVC apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="/usr/lib/systemcheck/census" name="/usr/bin/tor-circuit-established-check"
  ## Might be fixed in later kernel version.
  ## https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1844186
  /usr/bin/tor-circuit-established-check rix,

  /usr/libexec/helper-scripts/tor_enabled_check rix,
  /usr/bin/tor-signal-newnym rix,
  /usr/libexec/helper-scripts/torsocks-remove-ld-preload rix,

  /usr/share/kde-lowfat/share/config/kdeglobals r,
  /usr/share/kde-mouse-doubleclick/share/config/kdeglobals r,
  /usr/share/torbrowser-default-browser/share/config/kdeglobals r,
  /usr/share/open-link-confirmation/share/config/kdeglobals r,
  /usr/share/anon-*/** r,

  ## Legacy.
  /var/lib/anon-dist/build_version r,

  /var/lib/dist-base-files/build_version r,

  ## Qubes specific
  /usr/bin/dbus-launch rix,
  /etc/machine-id r,
  /var/lib/dbus/ r,
  /var/lib/dbus/machine-id rwk,
  /var/lib/dbus/machine-id.* rwk,

  ## security-misc
  ## AppArmor feature request:
  ## allow adding permissions globally using drop-in .d folder
  ## https://gitlab.com/apparmor/apparmor/issues/50
  /usr/libexec/security-misc/permission-lockdown rUx,
  /usr/libexec/security-misc/pam-abort-on-locked-password rUx,
  /usr/libexec/security-misc/pam-info rUx,
  /usr/libexec/security-misc/pam_only_if_login rUx,
  /usr/libexec/security-misc/pam_faillock_not_if_x rUx,
  /etc/security/ r,
  /etc/security/access-security-misc.conf r,
  /etc/security/faillock.conf r,
  /etc/security/faillock.conf.security-misc r,
  /etc/security/faillock.conf.security-misc-orig r,
  ## AVC apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/run/faillock/user" comm="sudo" requested_mask="wr" denied_mask="wr"
  ## AVC apparmor="DENIED" operation="open" profile="/usr/bin/systemcheck" name="/run/faillock/user" comm="sudo" requested_mask="wrc" denied_mask="wrc"
  ## AVC apparmor="DENIED" operation="mknod" profile="/usr/bin/systemcheck" name="/run/faillock/systemcheck" comm="sudo" requested_mask="c" denied_mask="c"
  /run/faillock/** rwk,

  ## snoopy
  /etc/snoopy.ini r,
  /etc/snoopy.ini.dist r,
  /etc/snoopy.ini.dist-orig r,

  ## }} Whonix, Kicksecure, uwt, security-misc specific additions end here