  ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
  ## See the file COPYING for copying conditions.

  #include <abstractions/base>
  #include <abstractions/bash>

  capability audit_write,
  capability chown,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_resource,

  ptrace read,

  /dev/pts/[0-9]* rw,

  /{,usr/}bin/bash mrix,
  /{,usr/}bin/chown mrix,
  /{,usr/}bin/date mrix,
  /{,usr/}bin/mktemp mrix,
  /{,usr/}bin/rm mrix,
  /{,usr/}bin/touch mrix,
  /{,usr/}bin/systemctl mrix,
  /{,usr/}bin/id mrix,
  /{,usr/}bin/inotifywait mrix,
  /{,usr/}bin/mkfifo mrix,
  /{,usr/}bin/sudo mrix,
  /{,usr/}bin/tee mrix,
  /{,usr/}bin/getent mrix,
  /{,usr/}bin/whonix-{gateway,workstation}-firewall mrix,
  /{,usr/}bin/whonix_firewall mrix,
  /{,usr/}libexec/whonix-firewall/* mrix,
  /{,usr/}sbin/xtables-nft-multi mrix,

  ## TODO
  /{,usr/}bin/qubesdb-read rUx,
  /{,usr/}bin/qubesdb-cmd rUx,

  /etc/group r,
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,
  /etc/gai.conf r,
  owner /etc/host.conf r,
  owner /etc/hosts.anondist r,
  owner /etc/login.defs r,
  owner /etc/nsswitch.conf r,
  owner /etc/pam.d/* r,
  owner /etc/passwd r,
  owner /etc/protocols r,
  owner /etc/resolv.conf r,
  owner /etc/shadow r,
  owner /etc/whonix_firewall.d/{,*} r,
  owner /usr/local/etc/whonix_firewall.d/{,*} r,

  @{PROC}/{filesystems,sys/kernel/random/boot_id} r,
  @{PROC}/@{pid}/{,environ,sched,stat,fd/} r,
  owner @{PROC}/*/comm r,

  /run/log/journal/{,**} r,
  /var/log/journal/{,**} r,
  /run/sdwdate/{,**} rw,
  owner /run/anon-firewall/{,**} rw,
  owner /run/whonix_firewall/{,**} rw,
  owner /run/qubes-service/ rw,
  owner /run/qubes-service/* w,
  /run/updatesproxycheck/ r,
  owner /run/updatesproxycheck/ rw,
  owner /run/updatesproxycheck/** rw,
  owner /run/utmp rk,

  /tmp/tmp.* rw,
