# Last Modified: Tue Jun 18 16:10:36 2024
include <tunables/global>

## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## TODO: disable complain mode


/usr/bin/whonix_firewall flags=(attach_disconnected,complain) {
  include <abstractions/whonix-firewall>
  include <local/whonix-firewall>

}
## TODO: disable complain mode


/usr/libexec/whonix-firewall/** flags=(attach_disconnected,complain) {
  include <abstractions/gstreamer>
  include <abstractions/nameservice>
  include <abstractions/whonix-firewall>
  include <local/whonix-firewall>

  /usr/bin/seq mrix,
  /usr/sbin/nft mrix,
  owner /etc/iproute2/group r,
  owner /etc/iproute2/rt_realms r,
  owner /etc/ld.so.cache r,
  owner /etc/ld.so.preload r,
  owner /var/lib/whonix-firewall/ w,
  owner /var/lib/whonix-firewall/firewall.nft r,
  owner /var/lib/whonix-firewall/firewall.nft w,

}
