aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict')
-rw-r--r--straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict30
1 files changed, 30 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict b/straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict
new file mode 100644
index 0000000..28d3ab1
--- /dev/null
+++ b/straper/db/public/apparmor/apparmor.d/abstractions/private-files-strict
@@ -0,0 +1,30 @@
+# vim:syntax=apparmor
+# privacy-violations-strict contains additional rules for sensitive
+# files that you want to explicitly deny access
+
+ abi <abi/4.0>,
+
+ include <abstractions/private-files>
+
+ # potentially extremely sensitive files
+ audit deny @{HOME}/.aws/{,**} mrwkl,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2/ w,
+ audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
+ # don't allow access to any gnome-keyring modules
+ audit deny @{run}/user/[0-9]*/keyring** mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+ audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+ audit deny @{HOME}/.evolution/{,**} mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+ audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/private-files-strict.d>