## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

#include <tunables/global>

/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) {
  #include <abstractions/bash>

  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,

  /bin/bash ix,
  /bin/chmod mrix,
  /bin/echo mrix,
  /bin/mkdir mrix,
  /bin/touch mrix,
  /usr/bin/basename mrix,
  /usr/bin/touch mrix,
  /usr/lib/security-misc/permission-lockdown r,

  /home/*/ w,

  /{usr/,}lib{,32,64}/** mr,

  /etc/ld.so.cache r,
  owner /etc/locale.alias r,
  owner /etc/nsswitch.conf r,
  owner /etc/passwd r,

  owner /var/cache/security-misc/state-files/ rw,
  owner /var/cache/security-misc/state-files/* rw,

  /dev/tty rw,
  
  #include <local/usr.lib.security-misc.permission-lockdown>
}