diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/apparmor/apparmor.d/abstractions/private-files | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/apparmor/apparmor.d/abstractions/private-files')
| -rw-r--r-- | straper/db/public/apparmor/apparmor.d/abstractions/private-files | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/straper/db/public/apparmor/apparmor.d/abstractions/private-files b/straper/db/public/apparmor/apparmor.d/abstractions/private-files new file mode 100644 index 0000000..00ad5f1 --- /dev/null +++ b/straper/db/public/apparmor/apparmor.d/abstractions/private-files @@ -0,0 +1,52 @@ +# vim:syntax=apparmor +# privacy-violations contains rules for common files that you want to +# explicitly deny access + + abi <abi/4.0>, + + # privacy violations (don't audit files under $HOME otherwise get a + # lot of false positives when reading contents of directories) + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.mutt** mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*.bak mrwkl, + + # special attention to (potentially) executable files + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/autostart/{,**} wl, + audit deny @{HOME}/.config/upstart/{,**} wl, + audit deny @{HOME}/.init/{,**} wl, + audit deny @{HOME}/.kde{,4}/ w, + audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl, + audit deny @{HOME}/.kde{,4}/env/{,**} wl, + audit deny @{HOME}/.local/{,share/} w, + audit deny @{HOME}/.local/share/thumbnailers/{,**} wl, + audit deny @{HOME}/.pki/ w, + audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl, + + # don't allow reading/updating of run control files + deny @{HOME}/.*rc mrk, + audit deny @{HOME}/.*rc wl, + + # bash + deny @{HOME}/.bash* mrk, + audit deny @{HOME}/.bash* wl, + deny @{HOME}/.inputrc mrk, + audit deny @{HOME}/.inputrc wl, + + # sh/dash/csh/tcsh/pdksh/zsh + deny @{HOME}/.{,z}profile* mrk, + audit deny @{HOME}/.{,z}profile* wl, + deny @{HOME}/.{,z}log{in,out} mrk, + audit deny @{HOME}/.{,z}log{in,out} wl, + + deny @{HOME}/.zshenv mrk, + audit deny @{HOME}/.zshenv wl, + + # Include additions to the abstraction + include if exists <abstractions/private-files.d> |
