2020-09-12 17:19:23 +02:00
|
|
|
# vim:syntax=apparmor
|
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
#
|
2021-01-10 16:35:07 +01:00
|
|
|
# Copyright (C) 2020-2021 Mikhail Morfikov
|
2020-09-12 17:19:23 +02:00
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
# License published by the Free Software Foundation.
|
|
|
|
|
#
|
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
# The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
|
|
|
|
|
# access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
|
|
|
|
|
# user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
|
|
|
|
|
#
|
|
|
|
|
# Note that some apps will work anyway when run as root even if all of the files in the /root/
|
|
|
|
|
# are denied. Anyway, most of the apps refuse to start when they don't get the access to the
|
|
|
|
|
# needed files in the user home dir.
|
|
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
abi <abi/3.0>,
|
2020-09-12 17:19:23 +02:00
|
|
|
|
|
|
|
|
# Use audit for now to see whether some apps are trying to get access to the /root/ dir.
|
|
|
|
|
audit deny /root/{,**} rwkmlx,
|
