%PDF- <> %âãÏÓ endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/Annots[ 28 0 R 29 0 R] /MediaBox[ 0 0 595.5 842.25] /Contents 4 0 R/Group<>/Tabs/S>> endobj ºaâÚÎΞ-ÌE1ÍØÄ÷{òò2ÿ ÛÖ^ÔÀá TÎ{¦?§®¥kuµùÕ5sLOšuY>endobj 2 0 obj<>endobj 2 0 obj<>endobj 2 0 obj<>endobj 2 0 obj<> endobj 2 0 obj<>endobj 2 0 obj<>es 3 0 R>> endobj 2 0 obj<> ox[ 0.000000 0.000000 609.600000 935.600000]/Fi endobj 3 0 obj<> endobj 7 1 obj<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI]>>/Subtype/Form>> stream
# Description: Can query network status information. This is restricted because # it gives privileged read-only access to networking information and should # only be used with trusted apps. # Usage: reserved # network-monitor can't allow this otherwise we are basically # network-management, but don't explicitly deny since someone might try to use # network-management with network-monitor and that shouldn't fail weirdly #capability net_admin, #include <abstractions/nameservice> #include <abstractions/ssl_certs> @{PROC}/@{pid}/net/ r, @{PROC}/@{pid}/net/** r, # used by sysctl, et al (sysctl net) @{PROC}/sys/ r, @{PROC}/sys/net/ r, @{PROC}/sys/net/core/ r, @{PROC}/sys/net/core/** r, @{PROC}/sys/net/ipv{4,6}/ r, @{PROC}/sys/net/ipv{4,6}/** r, @{PROC}/sys/net/netfilter/ r, @{PROC}/sys/net/netfilter/** r, @{PROC}/sys/net/nf_conntrack_max r, # networking tools /{,usr/}{,s}bin/arp ixr, /{,usr/}{,s}bin/bridge ixr, /{,usr/}{,s}bin/ifconfig ixr, /{,usr/}{,s}bin/ip ixr, /{,usr/}{,s}bin/ipmaddr ixr, /{,usr/}{,s}bin/iptunnel ixr, /{,usr/}{,s}bin/netstat ixr, # -p not supported /{,usr/}{,s}bin/nstat ixr, # allows zeroing #/{,usr/}{,s}bin/pppstats ixr, # needs sys_module /{,usr/}{,s}bin/route ixr, /{,usr/}{,s}bin/routel ixr, /{,usr/}{,s}bin/rtacct ixr, /{,usr/}{,s}bin/sysctl ixr, /{,usr/}{,s}bin/tc ixr, # arp network netlink dgram, # ip, et al /etc/iproute2/ r, /etc/iproute2/* r, # ping - child profile would be nice but seccomp causes problems with that /{,usr/}{,s}bin/ping ixr, /{,usr/}{,s}bin/ping6 ixr, capability net_raw, capability setuid, network inet raw, network inet6 raw, # route /etc/networks r,