OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	10/02/2024 07:50:38 PM	rwxr-xr-x
📄 container-management	2.17 KB	12/16/2015 10:40:55 PM	rw-r--r--
📄 desktop	380 bytes	01/11/2016 07:58:56 PM	rw-r--r--
📄 display-server	1.65 KB	01/19/2016 06:25:11 PM	rw-r--r--
📄 firewall-management	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 locale-management	188 bytes	12/16/2015 09:47:27 PM	rw-r--r--
📄 mir-client	1.39 KB	01/19/2016 07:31:36 PM	rw-r--r--
📄 network-admin	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-client	172 bytes	12/16/2015 08:54:27 PM	rw-r--r--
📄 network-firewall	1.7 KB	11/14/2015 11:48:00 PM	rw-r--r--
📄 network-listener	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-management	2.26 KB	10/05/2015 02:03:36 PM	rw-r--r--
📄 network-monitor	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 network-service	1.4 KB	01/14/2016 11:24:32 PM	rw-r--r--
📄 network-status	1.59 KB	12/15/2015 01:50:15 PM	rw-r--r--
📄 physical-memory-access	111 bytes	12/15/2015 02:00:23 PM	rw-r--r--
📄 read-system-logs	227 bytes	12/16/2015 10:01:29 PM	rw-r--r--
📄 snap-management	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 snapd	84 bytes	12/15/2015 01:52:34 PM	rw-r--r--
📄 system-monitor	745 bytes	01/15/2016 02:41:32 PM	rw-r--r--
📄 timeserver-management	251 bytes	12/16/2015 09:22:54 PM	rw-r--r--
📄 timezone-management	188 bytes	12/16/2015 09:42:49 PM	rw-r--r--
📄 unix-listener	80 bytes	12/16/2015 08:54:57 PM	rw-r--r--
📄 update-schedule-management	100 bytes	12/16/2015 10:02:37 PM	rw-r--r--

Name

Size

Modified

Perms

📁 ..

10/02/2024 07:50:38 PM

rwxr-xr-x

📄 container-management

2.17 KB

12/16/2015 10:40:55 PM

rw-r--r--

📄 desktop

380 bytes

01/11/2016 07:58:56 PM

rw-r--r--

📄 display-server

1.65 KB

01/19/2016 06:25:11 PM

rw-r--r--

📄 firewall-management

1.7 KB

11/14/2015 11:48:00 PM

rw-r--r--

📄 locale-management

188 bytes

12/16/2015 09:47:27 PM

rw-r--r--

📄 mir-client

1.39 KB

01/19/2016 07:31:36 PM

rw-r--r--

📄 network-admin

2.26 KB

10/05/2015 02:03:36 PM

rw-r--r--

📄 network-client

172 bytes

12/16/2015 08:54:27 PM

rw-r--r--

📄 network-firewall

1.7 KB

11/14/2015 11:48:00 PM

rw-r--r--

📄 network-listener

1.4 KB

01/14/2016 11:24:32 PM

rw-r--r--

📄 network-management

2.26 KB

10/05/2015 02:03:36 PM

rw-r--r--

📄 network-monitor

1.59 KB

12/15/2015 01:50:15 PM

rw-r--r--

📄 network-service

1.4 KB

01/14/2016 11:24:32 PM

rw-r--r--

📄 network-status

1.59 KB

12/15/2015 01:50:15 PM

rw-r--r--

📄 physical-memory-access

111 bytes

12/15/2015 02:00:23 PM

rw-r--r--

📄 read-system-logs

227 bytes

12/16/2015 10:01:29 PM

rw-r--r--

📄 snap-management

84 bytes

12/15/2015 01:52:34 PM

rw-r--r--

📄 snapd

84 bytes

12/15/2015 01:52:34 PM

rw-r--r--

📄 system-monitor

745 bytes

01/15/2016 02:41:32 PM

rw-r--r--

📄 timeserver-management

251 bytes

12/16/2015 09:22:54 PM

rw-r--r--

📄 timezone-management

188 bytes

12/16/2015 09:42:49 PM

rw-r--r--

📄 unix-listener

80 bytes

12/16/2015 08:54:57 PM

rw-r--r--

📄 update-schedule-management

100 bytes

12/16/2015 10:02:37 PM

rw-r--r--

Editing: mir-client

# Description: Can access the Mir display server as a client
# Usage: common

# TODO: is this needed by the client too? If it is, then we need to change the
# usage to 'reserved' until we have seccomp arg filtering implemented.
#capability chown,
#capability fowner,

# Socket to talk on
/run/mir_socket rw,

# FIXME: this is problematic with the current approach of forking and renaming
# the mir-template snap since the label will not match the server. This might
# be needed for the anonymous seqpacket socket? This needs to be refined.
unix (connect, send, receive) peer=(label="mir{,.*}_server-compositor_*"),

# For non-opengl apps
# https://www.kernel.org/doc/gorman/html/understand/understand015.html
/dev/shm/\#* rw,

# udev
deny /etc/udev/udev.conf r,
deny /run/udev/data/* r,

# FIXME: this is an information leak until AppArmor implements kernel variables
owner @{PROC}/@{pid}/cmdline r,

# FIXME: these should be part of (hw-)assign, not this policy group
# /dev/dri/card0 rw, # hardware acceleration
# /sys/devices/*/*/*/drm/card0/uevent r,

# FIXME: this is too lenient, please adjust for specific accesses
# /sys/devices/*/*/*/uevent r,

/usr/share/applications/ r,

# Library snaps will allow things like this, but this creates a tight coupling
# between mir and consumers of mir, so leave it out for now.
#@{INSTALL_DIR}/mir{,.*}/ r,
#@{INSTALL_DIR}/mir{,.*}/** r,
#@{INSTALL_DIR}/mir{,.*}/**/lib.so* mr,