OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	05/04/2025 04:37:49 PM	rwxr-xr-x
📄 X	1.94 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 apache2-common	1.09 KB	03/19/2025 06:09:43 PM	rw-r--r--
📁 apparmor_api	-	05/04/2025 04:37:49 PM	rwxr-xr-x
📄 aspell	412 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 audio	2.01 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 authentication	2.14 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 base	6.93 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 bash	1.58 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 consoles	903 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 crypto	992 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 cups-client	820 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus	694 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-accessibility	745 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-accessibility-strict	760 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-network-manager-strict	1.37 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-session	747 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-session-strict	1.23 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 dbus-strict	781 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dconf	344 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dovecot-common	675 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dri-common	542 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 dri-enumerate	392 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 enchant	2.17 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 exo-open	1.88 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 fcitx	558 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 fcitx-strict	821 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 fonts	2.23 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 freedesktop.org	1.64 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 gio-open	1.51 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 gnome	3.73 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 gnupg	459 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 groff	1.86 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 gtk	1.58 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 gvfs-open	1.15 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 hosts_access	511 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ibus	992 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 kde	3.25 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 kde-globals-write	413 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 kde-icon-cache-write	256 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 kde-language-write	575 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 kde-open5	3.58 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 kerberosclient	1.44 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ldapclient	856 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 libpam-systemd	770 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 likewise	595 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 mdns	554 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 mesa	1.21 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 mir	694 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 mozc	573 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 mysql	739 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 nameservice	4.46 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 nis	625 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 nss-systemd	1.22 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 nvidia	1.09 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl	370 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl-common	516 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl-intel	672 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl-mesa	636 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl-nvidia	895 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 opencl-pocl	2.84 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 openssl	642 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 orbit2	197 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 p11-kit	999 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 perl	974 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 php	1.1 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 php-worker	558 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 php5	208 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 postfix-common	1.32 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 private-files	1.62 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 private-files-strict	1.18 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 python	2.24 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 qt5	863 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 qt5-compose-cache-write	399 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 qt5-settings-write	514 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 recent-documents-write	466 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ruby	1008 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 samba	1.27 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 samba-rpcd	817 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 smbpass	581 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 snap_browsers	1.54 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ssl_certs	1.49 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ssl_keys	938 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 svn-repositories	1.72 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 transmission-common	4.28 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 trash	3.54 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-bittorrent-clients	821 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-browsers	1.58 KB	03/19/2025 06:09:43 PM	rw-r--r--
📁 ubuntu-browsers.d	-	05/04/2025 04:37:49 PM	rwxr-xr-x
📄 ubuntu-console-browsers	731 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-console-email	718 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-email	1.06 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-feed-readers	456 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-gnome-terminal	300 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-helpers	3.82 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-konsole	453 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-media-players	2.3 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-unity7-base	2.5 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-unity7-launcher	311 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-unity7-messaging	313 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 ubuntu-xterm	346 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 user-download	987 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 user-mail	944 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 user-manpages	1000 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 user-tmp	760 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 user-write	972 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 video	594 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 vulkan	1.1 KB	03/19/2025 06:09:43 PM	rw-r--r--
📄 wayland	713 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 web-data	811 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 winbind	882 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 wutmp	788 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 xad	984 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 xdg-desktop	782 bytes	03/19/2025 06:09:43 PM	rw-r--r--
📄 xdg-open	2.23 KB	03/19/2025 06:09:43 PM	rw-r--r--

Name

Size

Modified

Perms

📁 ..

05/04/2025 04:37:49 PM

rwxr-xr-x

📄 X

1.94 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 apache2-common

1.09 KB

03/19/2025 06:09:43 PM

rw-r--r--

📁 apparmor_api

05/04/2025 04:37:49 PM

rwxr-xr-x

📄 aspell

412 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 audio

2.01 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 authentication

2.14 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 base

6.93 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 bash

1.58 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 consoles

903 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 crypto

992 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 cups-client

820 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus

694 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-accessibility

745 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-accessibility-strict

760 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-network-manager-strict

1.37 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-session

747 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-session-strict

1.23 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 dbus-strict

781 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dconf

344 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dovecot-common

675 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dri-common

542 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 dri-enumerate

392 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 enchant

2.17 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 exo-open

1.88 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 fcitx

558 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 fcitx-strict

821 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 fonts

2.23 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 freedesktop.org

1.64 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 gio-open

1.51 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 gnome

3.73 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 gnupg

459 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 groff

1.86 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 gtk

1.58 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 gvfs-open

1.15 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 hosts_access

511 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ibus

992 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 kde

3.25 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 kde-globals-write

413 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 kde-icon-cache-write

256 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 kde-language-write

575 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 kde-open5

3.58 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 kerberosclient

1.44 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ldapclient

856 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 libpam-systemd

770 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 likewise

595 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 mdns

554 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 mesa

1.21 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 mir

694 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 mozc

573 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 mysql

739 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 nameservice

4.46 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 nis

625 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 nss-systemd

1.22 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 nvidia

1.09 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl

370 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl-common

516 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl-intel

672 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl-mesa

636 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl-nvidia

895 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 opencl-pocl

2.84 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 openssl

642 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 orbit2

197 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 p11-kit

999 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 perl

974 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 php

1.1 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 php-worker

558 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 php5

208 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 postfix-common

1.32 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 private-files

1.62 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 private-files-strict

1.18 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 python

2.24 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 qt5

863 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 qt5-compose-cache-write

399 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 qt5-settings-write

514 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 recent-documents-write

466 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ruby

1008 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 samba

1.27 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 samba-rpcd

817 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 smbpass

581 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 snap_browsers

1.54 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ssl_certs

1.49 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ssl_keys

938 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 svn-repositories

1.72 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 transmission-common

4.28 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 trash

3.54 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-bittorrent-clients

821 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-browsers

1.58 KB

03/19/2025 06:09:43 PM

rw-r--r--

📁 ubuntu-browsers.d

05/04/2025 04:37:49 PM

rwxr-xr-x

📄 ubuntu-console-browsers

731 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-console-email

718 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-email

1.06 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-feed-readers

456 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-gnome-terminal

300 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-helpers

3.82 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-konsole

453 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-media-players

2.3 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-unity7-base

2.5 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-unity7-launcher

311 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-unity7-messaging

313 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 ubuntu-xterm

346 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 user-download

987 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 user-mail

944 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 user-manpages

1000 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 user-tmp

760 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 user-write

972 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 video

594 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 vulkan

1.1 KB

03/19/2025 06:09:43 PM

rw-r--r--

📄 wayland

713 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 web-data

811 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 winbind

882 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 wutmp

788 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 xad

984 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 xdg-desktop

782 bytes

03/19/2025 06:09:43 PM

rw-r--r--

📄 xdg-open

2.23 KB

03/19/2025 06:09:43 PM

rw-r--r--

Editing: ubuntu-helpers

# Lenient profile that is intended to be used when 'Ux' is desired but
# does not provide enough environment sanitizing. This effectively is an
# open profile that blacklists certain known dangerous files and also
# does not allow any capabilities. For example, it will not allow 'm' on files
# owned be the user invoking the program. While this provides some additional
# protection, please use with care as applications running under this profile
# are effectively running without any AppArmor protection. Use this profile
# only if the process absolutely must be run (effectively) unconfined.
#
# Usage:
# Because this abstraction defines the sanitized_helper profile, it must only
# be included once. Therefore this abstraction should typically not be
# included in other abstractions so as to avoid parser errors regarding
# multiple definitions.
#
# Limitations:
# 1. This does not work for root owned processes, because of the way we use
#    owner matching in the sanitized helper. We could do a better job with
#    this to support root, but it would make the policy harder to understand
#    and going unconfined as root is not desirable any way.
#
# 2. For this sanitized_helper to work, the program running in the sanitized
#    environment must open symlinks directly in order for AppArmor to mediate
#    it. This is confirmed to work with:
#     - compiled code which can load shared libraries
#     - python imports
#    It is known not to work with:
#     - perl includes
# 3. Sanitizing ruby and java
#
# Use at your own risk. This profile was developed as an interim workaround for
# LP: #851986 until AppArmor utilizes proper environment filtering.

abi <abi/4.0>,

profile sanitized_helper {
  include <abstractions/base>
  include <abstractions/X>
  include if exists <local/ubuntu-helpers>

# Allow all networking
  network inet,
  network inet6,

# Allow all DBus communications
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  dbus,

# Needed for Google Chrome
  ptrace (trace) peer=**//sanitized_helper,

# Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /{usr/,usr/local/,}{bin,sbin}/* Pixr,

# Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
  /usr/{,local/}lib*/{,**/}* Pixr,

# Allow exec of software-center scripts. We may need to allow wider
  # permissions for /usr/share, but for now just do this. (LP: #972367)
  /usr/share/software-center/* Pixr,

# Allow exec of texlive font build scripts (LP: #1010909)
  /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,

# While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /usr/lib/chromium{,-browser}/chrome-sandbox PUxr,
  /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
  /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
  /opt/google/chrome{,-beta,-unstable}/chrome Pixr,
  /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
  /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,

# The same is needed for Brave
  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
  /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
  /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
  /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,

# Full access
  / r,
  /** rwkl,
  /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,

# Dangerous files
  audit deny owner /**/* m,              # compiled libraries
  audit deny owner /**/*.py* r,          # python imports
}