aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/private-files
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/private-files
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/private-files')
-rw-r--r--straper/db/public/apparmor/apparmor.d/abstractions/private-files52
1 files changed, 52 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/private-files b/straper/db/public/apparmor/apparmor.d/abstractions/private-files
new file mode 100644
index 0000000..00ad5f1
--- /dev/null
+++ b/straper/db/public/apparmor/apparmor.d/abstractions/private-files
@@ -0,0 +1,52 @@
+# vim:syntax=apparmor
+# privacy-violations contains rules for common files that you want to
+# explicitly deny access
+
+ abi <abi/4.0>,
+
+ # privacy violations (don't audit files under $HOME otherwise get a
+ # lot of false positives when reading contents of directories)
+ deny @{HOME}/.*history mrwkl,
+ deny @{HOME}/.fetchmail* mrwkl,
+ deny @{HOME}/.mutt** mrwkl,
+ deny @{HOME}/.viminfo* mrwkl,
+ deny @{HOME}/.*~ mrwkl,
+ deny @{HOME}/.*.swp mrwkl,
+ deny @{HOME}/.*~1~ mrwkl,
+ deny @{HOME}/.*.bak mrwkl,
+
+ # special attention to (potentially) executable files
+ audit deny @{HOME}/bin/{,**} wl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/autostart/{,**} wl,
+ audit deny @{HOME}/.config/upstart/{,**} wl,
+ audit deny @{HOME}/.init/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/ w,
+ audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+ audit deny @{HOME}/.local/{,share/} w,
+ audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+ audit deny @{HOME}/.pki/ w,
+ audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
+
+ # don't allow reading/updating of run control files
+ deny @{HOME}/.*rc mrk,
+ audit deny @{HOME}/.*rc wl,
+
+ # bash
+ deny @{HOME}/.bash* mrk,
+ audit deny @{HOME}/.bash* wl,
+ deny @{HOME}/.inputrc mrk,
+ audit deny @{HOME}/.inputrc wl,
+
+ # sh/dash/csh/tcsh/pdksh/zsh
+ deny @{HOME}/.{,z}profile* mrk,
+ audit deny @{HOME}/.{,z}profile* wl,
+ deny @{HOME}/.{,z}log{in,out} mrk,
+ audit deny @{HOME}/.{,z}log{in,out} wl,
+
+ deny @{HOME}/.zshenv mrk,
+ audit deny @{HOME}/.zshenv wl,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/private-files.d>