## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## required for /usr/bin/whonixcheck running /usr/lib/whonixcheck/whonixcheck
## under user 'whonixcheck'.
user ALL=(whonixcheck) NOPASSWD: /usr/lib/whonixcheck/whonixcheck
user ALL=(whonixcheck) NOPASSWD: /bin/bash -x /usr/lib/whonixcheck/whonixcheck
user ALL=NOPASSWD: /bin/bash -x /usr/bin/whonixcheck

## Required for whonixcheck running "tor --verify-config".
whonixcheck ALL=(debian-tor) NOPASSWD: /usr/bin/tor --verify-config
whonixcheck ALL=(debian-tor) NOPASSWD: /usr/sbin/tor --verify-config

whonixcheck ALL=NOPASSWD: /bin/systemctl --no-pager --no-block status onion-grater

## /usr/bin/whonixcheck depends on the following line for check_operating_system
## allows running apt-get update as user (non-root)
whonixcheck ALL=NOPASSWD: /usr/lib/security-misc/apt-get-update
whonixcheck ALL=NOPASSWD: /usr/lib/helper-scripts/apt-get-update-simulate
whonixcheck ALL=NOPASSWD: /usr/lib/helper-scripts/apt-get-update-kill-helper
whonixcheck ALL=NOPASSWD: /usr/lib/helper-scripts/anondate

## check_package_manager_running_helper
whonixcheck ALL=NOPASSWD: /bin/fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock

## required for check_network_interfaces
whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth0
whonixcheck ALL=NOPASSWD: /sbin/ifconfig eth1

## required for check_kernel_messages
whonixcheck ALL=NOPASSWD: /bin/dmesg

## required for check_spectre_meltdown
whonixcheck ALL=NOPASSWD: /usr/bin/spectre-meltdown-checker --paranoid

## required for check_services
whonixcheck ALL=NOPASSWD: /bin/journalctl --boot --no-pager --priority=0..4
whonixcheck ALL=NOPASSWD: /bin/journalctl --boot --no-pager -u whonix-firewall
whonixcheck ALL=NOPASSWD: /bin/systemctl --no-pager --no-block status whonix-firewall
whonixcheck ALL=NOPASSWD: /bin/systemctl --no-pager --no-block --no-legend --failed
whonixcheck ALL=NOPASSWD: /bin/systemctl --no-pager --no-block --failed list-units

## required for check_tor_pid
whonixcheck ALL=NOPASSWD: /usr/lib/whonixcheck/check_tor_pid

## required for check_network_interfaces if /sys is restricted to root
whonixcheck ALL=NOPASSWD: /bin/cat /sys/class/net/eth0/carrier
whonixcheck ALL=NOPASSWD: /bin/cat /sys/class/net/eth1/carrier

## required for check_pvclock if /sys is restricted to root
whonixcheck ALL=NOPASSWD: /bin/cat /sys/devices/system/clocksource/clocksource0/current_clocksource
whonixcheck ALL=NOPASSWD: /bin/cat /sys/devices/system/clocksource/clocksource0/available_clocksource

## required for check_virtualizer if /sys is restricted to root
whonixcheck ALL=NOPASSWD: /usr/bin/systemd-detect-virt
