# apparmor.d - Full set of apparmor profiles # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER # Per the first rule of this project: # As these are mandatory access control policies only what it explicitly required # should be authorized. Meaning, you should not allow everything (or a large area) # and blacklist some sub area. # The only legitimate use in this project is for file browser and search engine. deny @{HOME}/.*.bak mrwkl, deny @{HOME}/.*.swp mrwkl, deny @{HOME}/.*~ mrwkl, deny @{HOME}/.*~1~ mrwkl, deny @{HOME}/.*age*{,/{,**}} mrwkl, deny @{HOME}/.*aws*{,/{,**}} mrwkl, deny @{HOME}/.*cert*{,/{,**}} mrwkl, deny @{HOME}/.*history mrwkl, deny @{HOME}/.*key*{,/{,**}} mrwkl, deny @{HOME}/.*pass*{,/{,**}} mrwkl, deny @{HOME}/.*pki*{,/{,**}} mrwkl, deny @{HOME}/.*private*{,/{,**}} mrwkl, deny @{HOME}/.*secret*{,/{,**}} mrwkl, deny @{HOME}/.*yubi*{,/{,**}} mrwkl, deny @{HOME}/.fetchmail* mrwkl, deny @{HOME}/.lesshst* mrwkl, deny @{HOME}/.mozilla/{,**} mrwkl, deny @{HOME}/.mutt* mrwkl, deny @{HOME}/.thunderbird/{,**} mrwkl, deny @{HOME}/.viminfo* mrwkl, deny @{HOME}/.wget-hsts mrwkl, deny @{HOME}/@{XDG_GPG_DIR}/{,**} mrwkl, deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, deny @{user_config_dirs}/chromium/{,**} mrwkl, deny @{user_password_store_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # User defined private directories deny @{user_private_dirs}/{,**} mrxwlk, deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, # Deny executable mapping in writable space as allowed in abstractions/fonts deny @{HOME}/.{,cache/}fontconfig/ rw, deny @{HOME}/.{,cache/}fontconfig/** mrwl, include if exists # vim:syntax=apparmor