## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

  #include <abstractions/base>
  #include <abstractions/python>
  #include <abstractions/ssl_certs>
  #include <abstractions/openssl>

  /usr/bin/ r,
  /usr/bin/url_to_unixtime rix,
  ## Once no new privs issue is resolved, can downgrade to this:
  ## /usr/bin/url_to_unixtime r,

  ## https://forums.whonix.org/t/sdwdate-and-sdwdate-gui-development-thread/1137/372
  deny @{HOME}/** rwm,
  #deny /home/** rwm,
  deny /tmp/** rwm,
  deny /var/tmp/** rwm,
  #deny /usr/bin/** rwx,
  deny /sbin/** rwx,
  deny @{PROC}/** r,
  deny /usr/bin/python3.9 r,
  ## Related to compilation to byte code?
  ## AVC apparmor="DENIED" operation="exec" profile="/usr/bin/sdwdate" name="/usr/sbin/ldconfig" comm="sdwdate" requested_mask="x" denied_mask="x"
  deny /usr/sbin/ldconfig rx,

  # TCP/UDP network access (to access Tor's SOCKS port) (only needed on Bookworm and later)
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,
