apparmor.d/apparmor.d/abstractions/deny-sensitive-home

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER

# Per the first rule of this project:
# As these are mandatory access control policies only what it explicitly required
# should be authorized. Meaning, you should not allow everything (or a large area)
# and blacklist some sub area.

# Use in this project: file browser and search engine

  deny @{HOME}/.*_history                 rwlk,
  deny @{HOME}/.*age*{,/{,**}}            rwlk,
  deny @{HOME}/.*aws*{,/{,**}}            rwkl,
  deny @{HOME}/.*cert*{,/{,**}}           rwlk,
  deny @{HOME}/.*key*{,/{,**}}            rwlk,
  deny @{HOME}/.*pass*{,/{,**}}           rwlk,
  deny @{HOME}/.*pki*{,/{,**}}            rwlk,
  deny @{HOME}/.*private*{,/{,**}}        rwlk,
  deny @{HOME}/.*secret*{,/{,**}}         rwlk,
  deny @{HOME}/.*yubi*{,/{,**}}           rwlk,
  deny @{HOME}/.lesshst*                  rwlk,
  deny @{HOME}/.wget-hsts                 rwlk,
  deny @{HOME}/@{XDG_GPG_DIR}/{,**}       rwlk,
  deny @{HOME}/@{XDG_SSH_DIR}/{,**}       rwlk,
  deny @{user_config_dirs}/*-store/{,**}  rwlk,
  deny @{user_password_store_dirs}/{,**}  rwlk,

  # Deny executable mapping in writable space as allowed in abstractions/fonts
  deny @{HOME}/.{,cache/}fontconfig/ rw,
  deny @{HOME}/.{,cache/}fontconfig/** mrwl,

  # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
  deny @{HOME}/.Private/** mrxwlk,
  deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,

  include if exists <abstractions/deny-sensitive-home.d>
fix(profile): add deny-sensitive-home abstraction. 2022-10-01 20:18:54 +02:00			`# apparmor.d - Full set of apparmor profiles`
			`# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>`
			`# SPDX-License-Identifier: GPL-2.0-only`

			`# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER`

			`# Per the first rule of this project:`
			`# As these are mandatory access control policies only what it explicitly required`
			`# should be authorized. Meaning, you should not allow everything (or a large area)`
			`# and blacklist some sub area.`

			`# Use in this project: file browser and search engine`

feat(abs): extend deny-sensitive with new user_password_store_dirs var. 2023-02-01 23:34:54 +01:00			`deny @{HOME}/.*_history rwlk,`
			`deny @{HOME}/.age{,/{,**}} rwlk,`
feat(profiles): general update. 2023-03-31 17:52:35 +02:00			`deny @{HOME}/.aws{,/{,**}} rwkl,`
feat(abs): extend deny-sensitive with new user_password_store_dirs var. 2023-02-01 23:34:54 +01:00			`deny @{HOME}/.cert{,/{,**}} rwlk,`
			`deny @{HOME}/.key{,/{,**}} rwlk,`
			`deny @{HOME}/.pass{,/{,**}} rwlk,`
			`deny @{HOME}/.pki{,/{,**}} rwlk,`
			`deny @{HOME}/.private{,/{,**}} rwlk,`
			`deny @{HOME}/.secret{,/{,**}} rwlk,`
			`deny @{HOME}/.yubi{,/{,**}} rwlk,`
			`deny @{HOME}/.lesshst* rwlk,`
			`deny @{HOME}/.wget-hsts rwlk,`
			`deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk,`
			`deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk,`
			`deny @{user_config_dirs}/-store/{,*} rwlk,`
			`deny @{user_password_store_dirs}/{,**} rwlk,`
fix(profile): add deny-sensitive-home abstraction. 2022-10-01 20:18:54 +02:00
			`# Deny executable mapping in writable space as allowed in abstractions/fonts`
			`deny @{HOME}/.{,cache/}fontconfig/ rw,`
			`deny @{HOME}/.{,cache/}fontconfig/** mrwl,`

			`# Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs`
			`deny @{HOME}/.Private/** mrxwlk,`
			`deny @{HOMEDIRS}/.ecryptfs//.Private/* mrxwlk,`

			`include if exists <abstractions/deny-sensitive-home.d>`