# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2020-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
  # access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
  # user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
  #
  # Note that some apps will work anyway when run as root even if all of the files in the /root/
  # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
  # needed files in the user home dir.

  abi <abi/3.0>,

  # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
  audit deny /root/{,**} rwkmlx,