apparmor/profiles/apparmor.d/abstractions/private-files

# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access

  # privacy violations (don't audit files under $HOME otherwise get a
  # lot of false positives when reading contents of directories)
  deny @{HOME}/.*history mrwkl,
  deny @{HOME}/.fetchmail* mrwkl,
  deny @{HOME}/.viminfo* mrwkl,
  deny @{HOME}/.*~ mrwkl,
  deny @{HOME}/.*.swp mrwkl,
  deny @{HOME}/.*~1~ mrwkl,
  deny @{HOME}/.*.bak mrwkl,

  # special attention to (potentially) executable files
  audit deny @{HOME}/bin/** wl,
  audit deny @{HOME}/.config/autostart/** wl,
  audit deny @{HOME}/.config/upstart/** wl,
  audit deny @{HOME}/.init/** wl,
  audit deny @{HOME}/.kde{,4}/Autostart/** wl,
  audit deny @{HOME}/.kde{,4}/env/** wl,
  audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,

  # don't allow reading/updating of run control files
  deny @{HOME}/.*rc mrk,
  audit deny @{HOME}/.*rc wl,

  # bash
  deny @{HOME}/.bash* mrk,
  audit deny @{HOME}/.bash* wl,
  deny @{HOME}/.inputrc mrk,
  audit deny @{HOME}/.inputrc wl,

  # sh/dash/csh/tcsh/pdksh/zsh
  deny @{HOME}/.{,z}profile* mrk,
  audit deny @{HOME}/.{,z}profile* wl,
  deny @{HOME}/.{,z}log{in,out} mrk,
  audit deny @{HOME}/.{,z}log{in,out} wl,

  deny @{HOME}/.zshenv mrk,
  audit deny @{HOME}/.zshenv wl,
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00			`# vim:syntax=apparmor`
Description: Disallow writing and linking to @{HOME}/.pki/nssdb/ .so files Bug-Ubuntu: https://launchpad.net/bugs/911847 Acked-by: Jamie Strandboge <jamie@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2012-01-06 10:29:32 -06:00			`# privacy-violations contains rules for common files that you want to`
			`# explicitly deny access`
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00
			`# privacy violations (don't audit files under $HOME otherwise get a`
			`# lot of false positives when reading contents of directories)`
			`deny @{HOME}/.*history mrwkl,`
			`deny @{HOME}/.fetchmail* mrwkl,`
			`deny @{HOME}/.viminfo* mrwkl,`
			`deny @{HOME}/.*~ mrwkl,`
			`deny @{HOME}/.*.swp mrwkl,`
			`deny @{HOME}/.*~1~ mrwkl,`
			`deny @{HOME}/.*.bak mrwkl,`

			`# special attention to (potentially) executable files`
			`audit deny @{HOME}/bin/** wl,`
abstractions/private-files: don't allow wl to autostart directories abstractions/private-files-strict: don't allow access to: - chromium - thunderbird - evolution - kmail - kwallet 2011-01-07 10:44:47 -06:00			`audit deny @{HOME}/.config/autostart/** wl,`
deny writes to upstart user sessions jobs in abstractions/private-files Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com> 2013-05-13 14:56:10 -05:00			`audit deny @{HOME}/.config/upstart/** wl,`
			`audit deny @{HOME}/.init/** wl,`
Update abstractios for KDE4 (At least) openSUSE uses ~/.kde4 to store KDE4 settings. This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions. The patch is mostly from Velery Valery, I only fixed a merge conflict and added the kmail{,2} part in private-files-strict. References: https://bugzilla.novell.com/show_bug.cgi?id=741592 Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7. 2012-01-19 15:20:28 +01:00			`audit deny @{HOME}/.kde{,4}/Autostart/** wl,`
			`audit deny @{HOME}/.kde{,4}/env/** wl,`
Description: Disallow writing and linking to @{HOME}/.pki/nssdb/ .so files Bug-Ubuntu: https://launchpad.net/bugs/911847 Acked-by: Jamie Strandboge <jamie@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com> 2012-01-06 10:29:32 -06:00			`audit deny @{HOME}/.pki/nssdb/.so{,.[0-9]} wl,`
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00
profiles/apparmor.d/abstractions/private-files: - add zsh files (LP: #761217) - add .inputrc (bash) - add .login and .logout (csh, tcsh, etc) 2011-04-18 08:55:50 -05:00			`# don't allow reading/updating of run control files`
			`deny @{HOME}/.*rc mrk,`
			`audit deny @{HOME}/.*rc wl,`

			`# bash`
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00			`deny @{HOME}/.bash* mrk,`
			`audit deny @{HOME}/.bash* wl,`
profiles/apparmor.d/abstractions/private-files: - add zsh files (LP: #761217) - add .inputrc (bash) - add .login and .logout (csh, tcsh, etc) 2011-04-18 08:55:50 -05:00			`deny @{HOME}/.inputrc mrk,`
			`audit deny @{HOME}/.inputrc wl,`
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00
profiles/apparmor.d/abstractions/private-files: - add zsh files (LP: #761217) - add .inputrc (bash) - add .login and .logout (csh, tcsh, etc) 2011-04-18 08:55:50 -05:00			`# sh/dash/csh/tcsh/pdksh/zsh`
			`deny @{HOME}/.{,z}profile* mrk,`
			`audit deny @{HOME}/.{,z}profile* wl,`
			`deny @{HOME}/.{,z}log{in,out} mrk,`
			`audit deny @{HOME}/.{,z}log{in,out} wl,`
merge profiles from Ubuntu, including change_hat apache2 template 2009-11-11 11:42:30 -08:00
profiles/apparmor.d/abstractions/private-files: - add zsh files (LP: #761217) - add .inputrc (bash) - add .login and .logout (csh, tcsh, etc) 2011-04-18 08:55:50 -05:00			`deny @{HOME}/.zshenv mrk,`
			`audit deny @{HOME}/.zshenv wl,`