mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
58f5df11e6
Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
41 lines
1.3 KiB
Text
41 lines
1.3 KiB
Text
# vim:syntax=apparmor
|
|
# privacy-violations contains rules for common files that you want to
|
|
# explicitly deny access
|
|
|
|
# privacy violations (don't audit files under $HOME otherwise get a
|
|
# lot of false positives when reading contents of directories)
|
|
deny @{HOME}/.*history mrwkl,
|
|
deny @{HOME}/.fetchmail* mrwkl,
|
|
deny @{HOME}/.viminfo* mrwkl,
|
|
deny @{HOME}/.*~ mrwkl,
|
|
deny @{HOME}/.*.swp mrwkl,
|
|
deny @{HOME}/.*~1~ mrwkl,
|
|
deny @{HOME}/.*.bak mrwkl,
|
|
|
|
# special attention to (potentially) executable files
|
|
audit deny @{HOME}/bin/** wl,
|
|
audit deny @{HOME}/.config/autostart/** wl,
|
|
audit deny @{HOME}/.config/upstart/** wl,
|
|
audit deny @{HOME}/.init/** wl,
|
|
audit deny @{HOME}/.kde{,4}/Autostart/** wl,
|
|
audit deny @{HOME}/.kde{,4}/env/** wl,
|
|
audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
|
|
|
|
# don't allow reading/updating of run control files
|
|
deny @{HOME}/.*rc mrk,
|
|
audit deny @{HOME}/.*rc wl,
|
|
|
|
# bash
|
|
deny @{HOME}/.bash* mrk,
|
|
audit deny @{HOME}/.bash* wl,
|
|
deny @{HOME}/.inputrc mrk,
|
|
audit deny @{HOME}/.inputrc wl,
|
|
|
|
# sh/dash/csh/tcsh/pdksh/zsh
|
|
deny @{HOME}/.{,z}profile* mrk,
|
|
audit deny @{HOME}/.{,z}profile* wl,
|
|
deny @{HOME}/.{,z}log{in,out} mrk,
|
|
audit deny @{HOME}/.{,z}log{in,out} wl,
|
|
|
|
deny @{HOME}/.zshenv mrk,
|
|
audit deny @{HOME}/.zshenv wl,
|