2020-09-12 17:19:23 +02:00
|
|
|
# vim:syntax=apparmor
|
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
abi <abi/3.0>,
|
|
|
|
|
2020-09-12 17:19:23 +02:00
|
|
|
# Allow read to all files user has DAC access to and write access to all
|
|
|
|
# files owned by the user in $HOME.
|
|
|
|
@{HOME}/ r,
|
|
|
|
@{HOME}/** r,
|
|
|
|
owner @{HOME}/** w,
|
|
|
|
|
|
|
|
# Do not allow read and/or write to particularly sensitive/problematic files
|
2020-12-10 22:33:39 +01:00
|
|
|
include <abstractions/private-files>
|
2020-09-12 17:19:23 +02:00
|
|
|
audit deny @{HOME}/.ssh/{,**} mrwkl,
|
|
|
|
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
|
|
|
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
|
|
|
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
|
|
|
|
|
|
|
# Comment this out if using gpg plugin/addons
|
|
|
|
audit deny @{HOME}/.gnupg/{,**} mrwkl,
|
|
|
|
|
|
|
|
# Allow read to all files user has DAC access to and write for files the user
|
|
|
|
# owns on removable media and filesystems.
|
|
|
|
/media/** r,
|
|
|
|
/mnt/** r,
|
|
|
|
/srv/** r,
|
|
|
|
/net/** r,
|
|
|
|
owner /media/** w,
|
|
|
|
owner /mnt/** w,
|
|
|
|
owner /srv/** w,
|
|
|
|
owner /net/** w,
|