OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	03/18/2025 08:12:15 AM	rwxr-xr-x
📄 X	1.94 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 apache2-common	1.09 KB	07/18/2024 06:28:46 PM	rw-r--r--
📁 apparmor_api	-	03/18/2025 08:12:15 AM	rwxr-xr-x
📄 aspell	412 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 audio	2.01 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 authentication	2.14 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 base	6.93 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 bash	1.58 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 consoles	903 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 crypto	992 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 cups-client	820 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus	694 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-accessibility	745 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-accessibility-strict	760 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-network-manager-strict	1.37 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-session	747 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-session-strict	1.23 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 dbus-strict	781 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dconf	344 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dovecot-common	675 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dri-common	542 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 dri-enumerate	392 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 enchant	2.17 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 exo-open	1.88 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 fcitx	558 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 fcitx-strict	821 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 fonts	2.23 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 freedesktop.org	1.64 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 gio-open	1.51 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 gnome	3.73 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 gnupg	459 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 groff	1.86 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 gtk	1.58 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 gvfs-open	1.15 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 hosts_access	511 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ibus	992 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 kde	3.25 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 kde-globals-write	413 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 kde-icon-cache-write	256 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 kde-language-write	575 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 kde-open5	3.58 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 kerberosclient	1.44 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ldapclient	856 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 libpam-systemd	770 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 likewise	595 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 mdns	554 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 mesa	1.21 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 mir	694 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 mozc	573 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 mysql	739 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 nameservice	4.46 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 nis	625 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 nss-systemd	1.22 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 nvidia	1.09 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl	370 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl-common	516 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl-intel	672 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl-mesa	636 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl-nvidia	895 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 opencl-pocl	2.84 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 openssl	642 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 orbit2	197 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 p11-kit	999 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 perl	974 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 php	1.1 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 php-worker	558 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 php5	208 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 postfix-common	1.32 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 private-files	1.62 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 private-files-strict	1.18 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 python	2.24 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 qt5	863 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 qt5-compose-cache-write	399 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 qt5-settings-write	514 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 recent-documents-write	466 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ruby	1008 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 samba	1.27 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 samba-rpcd	817 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 smbpass	581 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 snap_browsers	1.54 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ssl_certs	1.49 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ssl_keys	938 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 svn-repositories	1.72 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 transmission-common	4.28 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 trash	3.54 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-bittorrent-clients	821 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-browsers	1.58 KB	07/18/2024 06:28:46 PM	rw-r--r--
📁 ubuntu-browsers.d	-	03/18/2025 08:12:15 AM	rwxr-xr-x
📄 ubuntu-console-browsers	731 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-console-email	718 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-email	1.06 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-feed-readers	456 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-gnome-terminal	300 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-helpers	3.82 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-konsole	453 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-media-players	2.3 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-unity7-base	2.5 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-unity7-launcher	311 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-unity7-messaging	313 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 ubuntu-xterm	346 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 user-download	987 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 user-mail	944 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 user-manpages	1000 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 user-tmp	760 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 user-write	972 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 video	594 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 vulkan	1.1 KB	07/18/2024 06:28:46 PM	rw-r--r--
📄 wayland	713 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 web-data	811 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 winbind	882 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 wutmp	788 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 xad	984 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 xdg-desktop	782 bytes	07/18/2024 06:28:46 PM	rw-r--r--
📄 xdg-open	2.23 KB	07/18/2024 06:28:46 PM	rw-r--r--

Name

Size

Modified

Perms

📁 ..

03/18/2025 08:12:15 AM

rwxr-xr-x

📄 X

1.94 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 apache2-common

1.09 KB

07/18/2024 06:28:46 PM

rw-r--r--

📁 apparmor_api

03/18/2025 08:12:15 AM

rwxr-xr-x

📄 aspell

412 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 audio

2.01 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 authentication

2.14 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 base

6.93 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 bash

1.58 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 consoles

903 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 crypto

992 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 cups-client

820 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus

694 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-accessibility

745 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-accessibility-strict

760 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-network-manager-strict

1.37 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-session

747 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-session-strict

1.23 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 dbus-strict

781 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dconf

344 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dovecot-common

675 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dri-common

542 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 dri-enumerate

392 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 enchant

2.17 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 exo-open

1.88 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 fcitx

558 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 fcitx-strict

821 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 fonts

2.23 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 freedesktop.org

1.64 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 gio-open

1.51 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 gnome

3.73 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 gnupg

459 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 groff

1.86 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 gtk

1.58 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 gvfs-open

1.15 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 hosts_access

511 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ibus

992 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 kde

3.25 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 kde-globals-write

413 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 kde-icon-cache-write

256 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 kde-language-write

575 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 kde-open5

3.58 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 kerberosclient

1.44 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ldapclient

856 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 libpam-systemd

770 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 likewise

595 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 mdns

554 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 mesa

1.21 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 mir

694 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 mozc

573 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 mysql

739 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 nameservice

4.46 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 nis

625 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 nss-systemd

1.22 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 nvidia

1.09 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl

370 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl-common

516 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl-intel

672 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl-mesa

636 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl-nvidia

895 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 opencl-pocl

2.84 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 openssl

642 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 orbit2

197 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 p11-kit

999 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 perl

974 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 php

1.1 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 php-worker

558 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 php5

208 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 postfix-common

1.32 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 private-files

1.62 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 private-files-strict

1.18 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 python

2.24 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 qt5

863 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 qt5-compose-cache-write

399 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 qt5-settings-write

514 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 recent-documents-write

466 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ruby

1008 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 samba

1.27 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 samba-rpcd

817 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 smbpass

581 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 snap_browsers

1.54 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ssl_certs

1.49 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ssl_keys

938 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 svn-repositories

1.72 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 transmission-common

4.28 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 trash

3.54 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-bittorrent-clients

821 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-browsers

1.58 KB

07/18/2024 06:28:46 PM

rw-r--r--

📁 ubuntu-browsers.d

03/18/2025 08:12:15 AM

rwxr-xr-x

📄 ubuntu-console-browsers

731 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-console-email

718 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-email

1.06 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-feed-readers

456 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-gnome-terminal

300 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-helpers

3.82 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-konsole

453 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-media-players

2.3 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-unity7-base

2.5 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-unity7-launcher

311 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-unity7-messaging

313 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 ubuntu-xterm

346 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 user-download

987 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 user-mail

944 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 user-manpages

1000 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 user-tmp

760 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 user-write

972 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 video

594 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 vulkan

1.1 KB

07/18/2024 06:28:46 PM

rw-r--r--

📄 wayland

713 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 web-data

811 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 winbind

882 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 wutmp

788 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 xad

984 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 xdg-desktop

782 bytes

07/18/2024 06:28:46 PM

rw-r--r--

📄 xdg-open

2.23 KB

07/18/2024 06:28:46 PM

rw-r--r--

Editing: base

# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/4.0>,

include <abstractions/crypto>

# (Note that the ldd profile has inlined this file; if you make
  # modifications here, please consider including them in the ldd
  # profile as well.)

# The __canary_death_handler function writes a time-stamped log
  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  # and localisations of date should be available EVERYWHERE, so
  # StackGuard, FormatGuard, etc., alerts can be properly logged.
  /dev/log                       w,
  /dev/random                    r,
  /dev/urandom                   r,
  # Allow access to the uuidd daemon (this daemon is a thin wrapper around
  # time and getrandom()/{,u}random and, when available, runs under an
  # unprivilged, dedicated user).
  @{run}/uuidd/request           r,
  @{etc_ro}/locale/**          r,
  @{etc_ro}/locale.alias       r,
  @{etc_ro}/localtime          r,
  @{etc_rw}/localtime          r,
  /etc/writable/localtime        r,
  /usr/share/locale-bundle/**    r,
  /usr/share/locale-langpack/**  r,
  /usr/share/locale/             r,
  /usr/share/locale/**           r,
  /usr/share/**/locale/**        r,
  /usr/share/zoneinfo{,-icu}/    r,
  /usr/share/zoneinfo{,-icu}/**  r,
  /usr/share/X11/locale/**       r,
  @{run}/systemd/journal/dev-log w,
  # systemd native journal API (see sd_journal_print(4))
  @{run}/systemd/journal/socket  w,
  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
  # be required but applications fail without it. journald doesn't leak
  # anything when reading so this is ok.
  @{run}/systemd/journal/stdout  rw,

/usr/lib{,32,64}/locale/**             mr,
  /usr/lib{,32,64}/gconv/*.so            mr,
  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
  /usr/lib/@{multiarch}/gconv/*.so           mr,
  /usr/lib/@{multiarch}/gconv/gconv-modules* mr,

# used by glibc when binding to ephemeral ports
  @{etc_ro}/bindresvport.blacklist    r,

# ld.so.cache and ld are used to load shared libraries; they are best
  # available everywhere
  @{etc_ro}/ld.so.cache               mr,
  @{etc_ro}/ld.so.conf                r,
  @{etc_ro}/ld.so.conf.d/{,*.conf}    r,
  @{etc_ro}/ld.so.preload             r,
  @{etc_ro}/ld-musl-*.path            r,
  /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
  /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
  /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
  /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,

# we might as well allow everything to use common libraries
  /{usr/,}lib{,32,64}/**                r,
  /{usr/,}lib{,32,64}/**.so*       mr,
  /{usr/,}lib/@{multiarch}/**            r,
  /{usr/,}lib/@{multiarch}/**.so*   mr,
  /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so*    mr,
  /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so*    mr,

# FIPS-140-2 versions of some crypto libraries need to access their
  # associated integrity verification file, or they will abort.
  /{usr/,}lib{,32,64}/.lib*.so*.hmac      r,
  /{usr/,}lib/@{multiarch}/.lib*.so*.hmac r,

# /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
  # as is /dev/zero
  /dev/zero                      rw,
  # recent glibc uses /dev/full in preference to /dev/null for programs
  # that don't have open fds at exec()
  /dev/full                      rw,

# Sometimes used to determine kernel/user interfaces to use
  @{PROC}/sys/kernel/version     r,
  # Depending on which glibc routine uses this file, base may not be the
  # best place -- but many profiles require it, and it is quite harmless.
  @{PROC}/sys/kernel/ngroups_max r,

# glibc's sysconf(3) routine to determine free memory, etc
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,
  @{sys}/devices/system/cpu/       r,
  @{sys}/devices/system/cpu/online r,
  @{sys}/devices/system/cpu/possible r,

# transparent hugepage support
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

# glibc's *printf protections read the maps file
  @{PROC}/@{pid}/{maps,auxv,status} r,

# some applications will display license information
  /usr/share/common-licenses/**  r,

# glibc statvfs
  @{PROC}/filesystems            r,

# glibc malloc (man 5 proc)
  @{PROC}/sys/vm/overcommit_memory r,

# Allow determining the highest valid capability of the running kernel
  @{PROC}/sys/kernel/cap_last_cap r,

# Allow other processes to read our /proc entries, futexes, perf tracing and
  # kcmp for now (they will need 'read' in the first place). Administrators can
  # override with:
  #   deny ptrace (readby) ...
  ptrace (readby),

# Allow other processes to trace us by default (they will need 'trace' in
  # the first place). Administrators can override with:
  #   deny ptrace (tracedby) ...
  ptrace (tracedby),

# Allow us to ptrace read ourselves
  ptrace (read) peer=@{profile_name},

# Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,

# Allow us to signal ourselves
  signal peer=@{profile_name},

# Checking for PID existence is quite common so add it by default for now
  signal (receive, send) set=("exists"),

# Allow us to create and use abstract and anonymous sockets
  unix peer=(label=@{profile_name}),

# Allow unconfined processes to us via unix sockets
  unix (receive) peer=(label=unconfined),

# Allow us to create abstract and anonymous sockets
  unix (create),

# Allow us to getattr, getopt, setop and shutdown on unix sockets
  unix (getattr, getopt, setopt, shutdown),

# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  # filesystems generally. This does not appreciably decrease security with
  # Ubuntu profiles because the user is expected to have access to files owned
  # by him/her. Exceptions to this are explicit in the profiles. While this rule
  # grants access to those exceptions, the intended privacy is maintained due to
  # the encrypted contents of the files in this directory. Files in this
  # directory will also use filename encryption by default, so the files are
  # further protected. Also, with the use of 'owner', this rule properly
  # prevents access to the files from processes running under a different uid.

# encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/ r,
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

# Include additions to the abstraction
  include if exists <abstractions/base.d>