# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER

# Per the first rule of this project:
# As these are mandatory access control policies only what it explicitly required
# should be authorized. Meaning, you should not allow everything (or a large area)
# and blacklist some sub area.

# The only legitimate use in this project is for file browser and search engine.

  abi <abi/4.0>,

  # User defined private directories
  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,
  deny @{user_private_dirs}/{,**}               mrxwlk,

  # Files with secret paswords and tokens
  deny @{HOME}/.*age*{,/{,**}}            mrwkl,
  deny @{HOME}/.*aws*{,/{,**}}            mrwkl,
  deny @{HOME}/.*cert*{,/{,**}}           mrwkl,
  deny @{HOME}/.*key*{,/{,**}}            mrwkl,
  deny @{HOME}/.*pass*{,/{,**}}           mrwkl,
  deny @{HOME}/.*pki*{,/{,**}}            mrwkl,
  deny @{HOME}/.*private*{,/{,**}}        mrwkl,
  deny @{HOME}/.*secret*{,/{,**}}         mrwkl,
  deny @{HOME}/.*yubi*{,/{,**}}           mrwkl,
  deny @{HOME}/.aws/{,**}                 mrwkl,
  deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
  deny @{HOME}/@{XDG_GPG_DIR}/{,**}       mrwkl,
  deny @{HOME}/@{XDG_SSH_DIR}/{,**}       mrwkl,
  deny @{run}/user/@{uid}/keyring**       mrwkl,
  deny @{user_config_dirs}/*-store/{,**}  mrwkl,
  deny @{user_passwordstore_dirs}/{,**}   mrwkl,
  deny @{user_share_dirs}/kwalletd/{,**}  mrwkl,

  # Privacy violations
  deny @{HOME}/.*.bak                     mrwkl,
  deny @{HOME}/.*.swp                     mrwkl,
  deny @{HOME}/.*~                        mrwkl,
  deny @{HOME}/.*~1~                      mrwkl,
  deny @{HOME}/.*history                  mrwkl,
  deny @{HOME}/.evolution/{,**}           mrwkl,
  deny @{HOME}/.fetchmail*                mrwkl,
  deny @{HOME}/.gnome2_private/{,**}      mrwkl,
  deny @{HOME}/.gnome2/keyrings/{,**}     mrwkl,
  deny @{HOME}/.lesshst*                  mrwkl,
  deny @{HOME}/.mozilla/{,**}             mrwkl,
  deny @{HOME}/.mutt**                    mrwkl,
  deny @{HOME}/.thunderbird/{,**}         mrwkl,
  deny @{HOME}/.viminfo*                  mrwkl,
  deny @{HOME}/.wget-hsts                 mrwkl,
  deny @{user_config_dirs}/chromium/{,**} mrwkl,
  deny @{user_config_dirs}/evolution/{,**} mrwkl,

  # Deny executable mapping in writable space as allowed in abstractions/fonts
  deny @{HOME}/.{,cache/}fontconfig/       rw,
  deny @{HOME}/.{,cache/}fontconfig/**    mrwl,

  # special attention to (potentially) executable files
  deny @{HOME}/bin                          wl,
  deny @{HOME}/bin/{,**}                    wl,

  include if exists <abstractions/deny-sensitive-home.d>

# vim:syntax=apparmor
