apparmor.d -> profiles

2021-04-01 16:02:59 +01:00 · 2021-04-01 16:02:59 +01:00 · e9b8e62fcd
commit e9b8e62fcd
parent c408a878b7
726 changed files with 0 additions and 0 deletions
--- a/profiles/abstractions/deny-root-dir-access
+++ b/profiles/abstractions/deny-root-dir-access
@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020-2021 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # The goal of this abstraction is preventing apps (GUI) to be run as the root user by restraining
+  # access to the /root/ dir and its subdirectories. If you don't want to start an app as the super
+  # user (possibly by mistake), just include this abstraction in the app's AppArmor profile.
+  #
+  # Note that some apps will work anyway when run as root even if all of the files in the /root/
+  # are denied. Anyway, most of the apps refuse to start when they don't get the access to the
+  # needed files in the user home dir.
+
+  abi <abi/3.0>,
+
+  # Use audit for now to see whether some apps are trying to get access to the /root/ dir.
+  audit deny /root/{,**} rwkmlx,