OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	02/18/2024 07:58:20 PM	rwxr-xr-x
📄 container-management	2.17 KB	12/16/2015 10:40:55 PM	rw-r--r--
📄 desktop	380 bytes	01/11/2016 07:58:56 PM	rw-r--r--
📄 display-server	1.65 KB	01/19/2016 06:25:11 PM	rw-r--r--
📄 firewall-management	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 locale-management	188 bytes	12/16/2015 09:47:27 PM	rw-r--r--
📄 mir-client	1.39 KB	01/19/2016 07:31:36 PM	rw-r--r--
📄 network-admin	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-client	172 bytes	12/16/2015 08:54:27 PM	rw-r--r--
📄 network-firewall	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 network-listener	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-management	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-monitor	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 network-service	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-status	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 physical-memory-access	111 bytes	12/15/2015 02:00:23 PM	rw-r--r--
📄 read-system-logs	227 bytes	12/16/2015 10:01:29 PM	rw-r--r--
📄 snap-management	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 snapd	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 system-monitor	745 bytes	01/15/2016 02:41:32 PM	rw-r--r--
📄 timeserver-management	251 bytes	12/16/2015 09:22:54 PM	rw-r--r--
📄 timezone-management	188 bytes	12/16/2015 09:42:49 PM	rw-r--r--
📄 unix-listener	80 bytes	12/16/2015 08:54:57 PM	rw-r--r--
📄 update-schedule-management	100 bytes	12/16/2015 10:02:37 PM	rw-r--r--

Editing: network-management

# Description: Can configure networking. This is restricted because it gives
# wide, privileged access to networking and should only be used with trusted
# apps.
# Usage: reserved

#include <abstractions/nameservice>
#include <abstractions/ssl_certs>

capability net_admin,
capability net_raw,
capability setuid, # ping

# Allow protocols except those that we blacklist in
# /etc/modprobe.d/blacklist-rare-network.conf
network appletalk,
network bridge,
network inet,
network inet6,
network ipx,
network packet,
network pppox,
network sna,

@{PROC}/@{pid}/net/ r,
@{PROC}/@{pid}/net/** r,

# used by sysctl, et al
@{PROC}/sys/ r,
@{PROC}/sys/net/ r,
@{PROC}/sys/net/core/ r,
@{PROC}/sys/net/core/** rw,
@{PROC}/sys/net/ipv{4,6}/ r,
@{PROC}/sys/net/ipv{4,6}/** rw,
@{PROC}/sys/net/netfilter/ r,
@{PROC}/sys/net/netfilter/** rw,
@{PROC}/sys/net/nf_conntrack_max rw,

# networking tools
/{,usr/}{,s}bin/arp ixr,
/{,usr/}{,s}bin/arpd ixr,
/{,usr/}{,s}bin/bridge ixr,
/{,usr/}{,s}bin/dhclient Pxr,             # use ixr instead if want to limit to snap dirs
/{,usr/}{,s}bin/ifconfig ixr,
audit deny /{,usr/}{,s}bin/if{up,down} r, # the system uses these, snaps shouldn't
/{,usr/}{,s}bin/ip ixr,
/{,usr/}{,s}bin/ipmaddr ixr,
/{,usr/}{,s}bin/iptunnel ixr,
audit deny /{,usr/}{,s}bin/mii-tool r,    # needs capability sys_module
/{,usr/}{,s}bin/nameif ixr,
/{,usr/}{,s}bin/netstat ixr,              # -p not supported
/{,usr/}{,s}bin/nstat ixr,
/{,usr/}{,s}bin/ping ixr,
/{,usr/}{,s}bin/ping6 ixr,
/{,usr/}{,s}bin/pppd ixr,
/{,usr/}{,s}bin/pppdump ixr,
/{,usr/}{,s}bin/pppoe-discovery ixr,
#/{,usr/}{,s}bin/pppstats ixr,            # needs sys_module
/{,usr/}{,s}bin/route ixr,
/{,usr/}{,s}bin/routef ixr,
/{,usr/}{,s}bin/routel ixr,
/{,usr/}{,s}bin/rtacct ixr,
/{,usr/}{,s}bin/rtmon ixr,
/{,usr/}{,s}bin/sysctl ixr,
/{,usr/}{,s}bin/tc ixr,
/{,usr/}{,s}bin/wpa_action ixr,
/{,usr/}{,s}bin/wpa_cli ixr,
/{,usr/}{,s}bin/wpa_passphrase ixr,
/{,usr/}{,s}bin/wpa_supplicant ixr,

# arp
network netlink dgram,

# ip, et al
/etc/iproute2/ r,
/etc/iproute2/* r,

# ping - child profile would be nice but seccomp causes problems with that
/{,usr/}{,s}bin/ping ixr,
/{,usr/}{,s}bin/ping6 ixr,
network inet raw,
network inet6 raw,

# pppd
capability setuid,
@{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/mounts r,

# route
/etc/networks r,