OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	02/18/2024 07:58:20 PM	rwxr-xr-x
📄 container-management	2.17 KB	12/16/2015 10:40:55 PM	rw-r--r--
📄 desktop	380 bytes	01/11/2016 07:58:56 PM	rw-r--r--
📄 display-server	1.65 KB	01/19/2016 06:25:11 PM	rw-r--r--
📄 firewall-management	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 locale-management	188 bytes	12/16/2015 09:47:27 PM	rw-r--r--
📄 mir-client	1.39 KB	01/19/2016 07:31:36 PM	rw-r--r--
📄 network-admin	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-client	172 bytes	12/16/2015 08:54:27 PM	rw-r--r--
📄 network-firewall	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 network-listener	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-management	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-monitor	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 network-service	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-status	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 physical-memory-access	111 bytes	12/15/2015 02:00:23 PM	rw-r--r--
📄 read-system-logs	227 bytes	12/16/2015 10:01:29 PM	rw-r--r--
📄 snap-management	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 snapd	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 system-monitor	745 bytes	01/15/2016 02:41:32 PM	rw-r--r--
📄 timeserver-management	251 bytes	12/16/2015 09:22:54 PM	rw-r--r--
📄 timezone-management	188 bytes	12/16/2015 09:42:49 PM	rw-r--r--
📄 unix-listener	80 bytes	12/16/2015 08:54:57 PM	rw-r--r--
📄 update-schedule-management	100 bytes	12/16/2015 10:02:37 PM	rw-r--r--

Name

Size

Modified

Perms

📁 ..

02/18/2024 07:58:20 PM

rwxr-xr-x

📄 container-management

2.17 KB

12/16/2015 10:40:55 PM

rw-r--r--

📄 desktop

380 bytes

01/11/2016 07:58:56 PM

rw-r--r--

📄 display-server

1.65 KB

01/19/2016 06:25:11 PM

rw-r--r--

📄 firewall-management

1.7 KB

11/14/2015 11:48:00 PM

rw-r--r--

📄 locale-management

188 bytes

12/16/2015 09:47:27 PM

rw-r--r--

📄 mir-client

1.39 KB

01/19/2016 07:31:36 PM

rw-r--r--

📄 network-admin

2.26 KB

10/05/2015 02:03:36 PM

rw-r--r--

📄 network-client

172 bytes

12/16/2015 08:54:27 PM

rw-r--r--

📄 network-firewall

1.7 KB

11/14/2015 11:48:00 PM

rw-r--r--

📄 network-listener

1.4 KB

01/14/2016 11:24:32 PM

rw-r--r--

📄 network-management

2.26 KB

10/05/2015 02:03:36 PM

rw-r--r--

📄 network-monitor

1.59 KB

12/15/2015 01:50:15 PM

rw-r--r--

📄 network-service

1.4 KB

01/14/2016 11:24:32 PM

rw-r--r--

📄 network-status

1.59 KB

12/15/2015 01:50:15 PM

rw-r--r--

📄 physical-memory-access

111 bytes

12/15/2015 02:00:23 PM

rw-r--r--

📄 read-system-logs

227 bytes

12/16/2015 10:01:29 PM

rw-r--r--

📄 snap-management

84 bytes

12/15/2015 01:52:34 PM

rw-r--r--

📄 snapd

84 bytes

12/15/2015 01:52:34 PM

rw-r--r--

📄 system-monitor

745 bytes

01/15/2016 02:41:32 PM

rw-r--r--

📄 timeserver-management

251 bytes

12/16/2015 09:22:54 PM

rw-r--r--

📄 timezone-management

188 bytes

12/16/2015 09:42:49 PM

rw-r--r--

📄 unix-listener

80 bytes

12/16/2015 08:54:57 PM

rw-r--r--

📄 update-schedule-management

100 bytes

12/16/2015 10:02:37 PM

rw-r--r--

Editing: display-server

# Description: Can access the system as a display server. This is restricted
# because it gives access to the graphics and input systems.
# Usage: reserved

# Currently this is mir-specific. When have an X or wayland server, update
# accordingly.

# This shouldn't be needed, but is harmless
/usr/share/applications/ r,

# This is arguably via capabilities assignment...
# TODO: is this required?
/dev/tty* rw,

# This allows interacting with graphics hardware and therefore must be
# reserved.
capability sys_admin,
/dev/dri/** rw,
/sys/class/drm/ r,
/sys/class/drm/** r,
/sys/devices/**/drm/ r,
/sys/devices/**/drm/** r,

# This is arguably via capabilities assignment...
# This allows snooping input events and therefore must be reserved.
/dev/input/* rw,
/sys/class/input/ r,
/sys/class/input/** r,
/sys/devices/**/input/ r,
/sys/devices/**/input/** r,

# Socket to talk on
/run/mir_socket rw,

# TODO: investigate. tvoss claims it shouldn't be needed
# This allows access to all anonymous seqpacket addresses which breaks
# application isolation (therefore only privileged apps may use this cap)
unix (receive, send) type=seqpacket addr=none,

# For non-opengl apps
/dev/shm/\#* rw,

# udev
# FIXME: these are way too loose
/sys/devices/**/ r,
/run/udev/data/* r,
/sys/devices/**/uevent rw,

# FIXME: can this be fine-tuned at all?
capability sys_ptrace,
ptrace peer=**,

# TODO: investigate (what is this chowning to?)
capability chown,
capability fowner,

# TODO: investigate. These are usually the result of wrong directory
# permissions
capability dac_override,
capability dac_read_search,

# TODO: investigate
capability sys_tty_config,

# TODO: investigate
network netlink raw,