  ## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
  ## See the file COPYING for copying conditions.

  #include <abstractions/base>
  #include <abstractions/bash>

  capability audit_write,
  capability chown,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_resource,

  ptrace read,

  /dev/pts/[0-9]* rw,

  /bin/bash ix,
  /bin/chown mrix,
  /bin/date mrix,
  /bin/mktemp mrix,
  /bin/rm mrix,
  /bin/touch mrix,
  /bin/systemctl mrix,
  /usr/bin/id mrix,
  /usr/bin/inotifywait mrix,
  /usr/bin/mkfifo mrix,
  /usr/bin/sudo mrix,
  /usr/bin/tee mrix,
  /usr/bin/whonix-gateway-firewall mrix,
  /usr/bin/whonix-workstation-firewall mrix,
  /usr/bin/whonix_firewall mrix,
  /usr/lib/whonix-firewall/* mrix,
  /usr/sbin/xtables-nft-multi mrix,

  /etc/group r,
  /etc/sudoers r,
  /etc/sudoers.d/ r,
  /etc/sudoers.d/* r,
  /etc/gai.conf r,
  owner /etc/host.conf r,
  owner /etc/hosts.anondist r,
  owner /etc/login.defs r,
  owner /etc/nsswitch.conf r,
  owner /etc/pam.d/* r,
  owner /etc/passwd r,
  owner /etc/protocols r,
  owner /etc/resolv.conf r,
  owner /etc/shadow r,
  owner /etc/whonix_firewall.d/ r,
  owner /etc/whonix_firewall.d/* r,

  /proc/*/fd/ r,
  /proc/filesystems r,
  /proc/*/{,environ,sched,stat} r,
  /proc/sys/kernel/random/boot_id r,

  /run/log/journal/ r,
  /run/log/journal/** r,
  /run/sdwdate/ rw,
  /run/sdwdate/* w,
  owner /run/anon-firewall/ w,
  owner /run/anon-firewall/* w,
  owner /run/whonix_firewall/* w,
  owner /run/qubes-service/ rw,
  owner /run/qubes-service/* w,
  owner /run/utmp rk,

  /tmp/tmp.* rw,
