aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/apparmor/apparmor.d/abstractions/private-files
blob: 00ad5f16d1c1097ca0d4dc83a8fc73dce2b89f3d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access

  abi <abi/4.0>,

  # privacy violations (don't audit files under $HOME otherwise get a
  # lot of false positives when reading contents of directories)
  deny @{HOME}/.*history mrwkl,
  deny @{HOME}/.fetchmail* mrwkl,
  deny @{HOME}/.mutt** mrwkl,
  deny @{HOME}/.viminfo* mrwkl,
  deny @{HOME}/.*~ mrwkl,
  deny @{HOME}/.*.swp mrwkl,
  deny @{HOME}/.*~1~ mrwkl,
  deny @{HOME}/.*.bak mrwkl,

  # special attention to (potentially) executable files
  audit deny @{HOME}/bin/{,**} wl,
  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/autostart/{,**} wl,
  audit deny @{HOME}/.config/upstart/{,**} wl,
  audit deny @{HOME}/.init/{,**} wl,
  audit deny @{HOME}/.kde{,4}/ w,
  audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
  audit deny @{HOME}/.kde{,4}/env/{,**} wl,
  audit deny @{HOME}/.local/{,share/} w,
  audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
  audit deny @{HOME}/.pki/ w,
  audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,

  # don't allow reading/updating of run control files
  deny @{HOME}/.*rc mrk,
  audit deny @{HOME}/.*rc wl,

  # bash
  deny @{HOME}/.bash* mrk,
  audit deny @{HOME}/.bash* wl,
  deny @{HOME}/.inputrc mrk,
  audit deny @{HOME}/.inputrc wl,

  # sh/dash/csh/tcsh/pdksh/zsh
  deny @{HOME}/.{,z}profile* mrk,
  audit deny @{HOME}/.{,z}profile* wl,
  deny @{HOME}/.{,z}log{in,out} mrk,
  audit deny @{HOME}/.{,z}log{in,out} wl,

  deny @{HOME}/.zshenv mrk,
  audit deny @{HOME}/.zshenv wl,

  # Include additions to the abstraction
  include if exists <abstractions/private-files.d>