mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
14b779d29b
apparmor.d/apparmor.d/abstractions/deny-sensitive-home
Alexandre Pujol 30656bdc48
feat(abs): minor improvements over some abstractions.
2024-03-13 16:18:54 +00:00

51 lines
2.2 KiB
Plaintext
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER
# Per the first rule of this project:
# As these are mandatory access control policies only what it explicitly required
# should be authorized. Meaning, you should not allow everything (or a large area)
# and blacklist some sub area.
# The only legitimate use in this project is for file browser and search engine.
deny @{HOME}/.*.bak mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*age*{,/{,**}} mrwkl,
deny @{HOME}/.*aws*{,/{,**}} mrwkl,
deny @{HOME}/.*cert*{,/{,**}} mrwkl,
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.*key*{,/{,**}} mrwkl,
deny @{HOME}/.*pass*{,/{,**}} mrwkl,
deny @{HOME}/.*pki*{,/{,**}} mrwkl,
deny @{HOME}/.*private*{,/{,**}} mrwkl,
deny @{HOME}/.*secret*{,/{,**}} mrwkl,
deny @{HOME}/.*yubi*{,/{,**}} mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.lesshst* mrwkl,
deny @{HOME}/.mozilla/{,**} mrwkl,
deny @{HOME}/.mutt* mrwkl,
deny @{HOME}/.thunderbird/{,**} mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.wget-hsts mrwkl,
deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl,
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_config_dirs}/chromium/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl,
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,
# Deny executable mapping in writable space as allowed in abstractions/fonts
deny @{HOME}/.{,cache/}fontconfig/ rw,
deny @{HOME}/.{,cache/}fontconfig/** mrwl,
# Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
deny @{HOME}/.Private/** mrxwlk,
deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,
include if exists <abstractions/deny-sensitive-home.d>
Reference in New Issue View Git Blame Copy Permalink