%PDF- <> %âãÏÓ endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/Annots[ 28 0 R 29 0 R] /MediaBox[ 0 0 595.5 842.25] /Contents 4 0 R/Group<>/Tabs/S>> endobj ºaâÚÎΞ-ÌE1ÍØÄ÷{òò2ÿ ÛÖ^ÔÀá TÎ{¦?§®¥kuµùÕ5sLOšuY>endobj 2 0 obj<>endobj 2 0 obj<>endobj 2 0 obj<>endobj 2 0 obj<> endobj 2 0 obj<>endobj 2 0 obj<>es 3 0 R>> endobj 2 0 obj<> ox[ 0.000000 0.000000 609.600000 935.600000]/Fi endobj 3 0 obj<> endobj 7 1 obj<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI]>>/Subtype/Form>> stream
# Description: Can configure networking. This is restricted because it gives # wide, privileged access to networking and should only be used with trusted # apps. # Usage: reserved #include <abstractions/nameservice> #include <abstractions/ssl_certs> capability net_admin, capability net_raw, capability setuid, # ping # Allow protocols except those that we blacklist in # /etc/modprobe.d/blacklist-rare-network.conf network appletalk, network bridge, network inet, network inet6, network ipx, network packet, network pppox, network sna, @{PROC}/@{pid}/net/ r, @{PROC}/@{pid}/net/** r, # used by sysctl, et al @{PROC}/sys/ r, @{PROC}/sys/net/ r, @{PROC}/sys/net/core/ r, @{PROC}/sys/net/core/** rw, @{PROC}/sys/net/ipv{4,6}/ r, @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/net/netfilter/ r, @{PROC}/sys/net/netfilter/** rw, @{PROC}/sys/net/nf_conntrack_max rw, # networking tools /{,usr/}{,s}bin/arp ixr, /{,usr/}{,s}bin/arpd ixr, /{,usr/}{,s}bin/bridge ixr, /{,usr/}{,s}bin/dhclient Pxr, # use ixr instead if want to limit to snap dirs /{,usr/}{,s}bin/ifconfig ixr, audit deny /{,usr/}{,s}bin/if{up,down} r, # the system uses these, snaps shouldn't /{,usr/}{,s}bin/ip ixr, /{,usr/}{,s}bin/ipmaddr ixr, /{,usr/}{,s}bin/iptunnel ixr, audit deny /{,usr/}{,s}bin/mii-tool r, # needs capability sys_module /{,usr/}{,s}bin/nameif ixr, /{,usr/}{,s}bin/netstat ixr, # -p not supported /{,usr/}{,s}bin/nstat ixr, /{,usr/}{,s}bin/ping ixr, /{,usr/}{,s}bin/ping6 ixr, /{,usr/}{,s}bin/pppd ixr, /{,usr/}{,s}bin/pppdump ixr, /{,usr/}{,s}bin/pppoe-discovery ixr, #/{,usr/}{,s}bin/pppstats ixr, # needs sys_module /{,usr/}{,s}bin/route ixr, /{,usr/}{,s}bin/routef ixr, /{,usr/}{,s}bin/routel ixr, /{,usr/}{,s}bin/rtacct ixr, /{,usr/}{,s}bin/rtmon ixr, /{,usr/}{,s}bin/sysctl ixr, /{,usr/}{,s}bin/tc ixr, /{,usr/}{,s}bin/wpa_action ixr, /{,usr/}{,s}bin/wpa_cli ixr, /{,usr/}{,s}bin/wpa_passphrase ixr, /{,usr/}{,s}bin/wpa_supplicant ixr, # arp network netlink dgram, # ip, et al /etc/iproute2/ r, /etc/iproute2/* r, # ping - child profile would be nice but seccomp causes problems with that /{,usr/}{,s}bin/ping ixr, /{,usr/}{,s}bin/ping6 ixr, network inet raw, network inet6 raw, # pppd capability setuid, @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/mounts r, # route /etc/networks r,