Related MVP of AppArmor profile that only deny acc

MVP of AppArmor profile that only deny access specific folder about adhocsecurebox HOT 1 OPEN

fititnt commented on June 9, 2024

MVP of AppArmor profile that only deny access specific folder

from adhocsecurebox.

Comments (1)

fititnt commented on June 9, 2024

Ubuntu 20.04 already have some interesting abstractions

`/etc/apparmor.d/abstractions/private-files-strict`

# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access

  #include <abstractions/private-files>

  # potentially extremely sensitive files
  audit deny @{HOME}/.aws/{,**} mrwkl,
  audit deny @{HOME}/.gnupg/{,**} mrwkl,
  audit deny @{HOME}/.ssh/{,**} mrwkl,
  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
  audit deny @{HOME}/.gnome2/ w,
  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
  # don't allow access to any gnome-keyring modules
  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
  audit deny @{HOME}/.mozilla/{,**} mrwkl,
  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
  audit deny @{HOME}/.evolution/{,**} mrwkl,
  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
  audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,

`/etc/apparmor.d/abstractions/private-files`

# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access

  # privacy violations (don't audit files under $HOME otherwise get a
  # lot of false positives when reading contents of directories)
  deny @{HOME}/.*history mrwkl,
  deny @{HOME}/.fetchmail* mrwkl,
  deny @{HOME}/.mutt** mrwkl,
  deny @{HOME}/.viminfo* mrwkl,
  deny @{HOME}/.*~ mrwkl,
  deny @{HOME}/.*.swp mrwkl,
  deny @{HOME}/.*~1~ mrwkl,
  deny @{HOME}/.*.bak mrwkl,

  # special attention to (potentially) executable files
  audit deny @{HOME}/bin/{,**} wl,
  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/autostart/{,**} wl,
  audit deny @{HOME}/.config/upstart/{,**} wl,
  audit deny @{HOME}/.init/{,**} wl,
  audit deny @{HOME}/.kde{,4}/ w,
  audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
  audit deny @{HOME}/.kde{,4}/env/{,**} wl,
  audit deny @{HOME}/.local/{,share/} w,
  audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
  audit deny @{HOME}/.pki/ w,
  audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,

  # don't allow reading/updating of run control files
  deny @{HOME}/.*rc mrk,
  audit deny @{HOME}/.*rc wl,

  # bash
  deny @{HOME}/.bash* mrk,
  audit deny @{HOME}/.bash* wl,
  deny @{HOME}/.inputrc mrk,
  audit deny @{HOME}/.inputrc wl,

  # sh/dash/csh/tcsh/pdksh/zsh
  deny @{HOME}/.{,z}profile* mrk,
  audit deny @{HOME}/.{,z}profile* wl,
  deny @{HOME}/.{,z}log{in,out} mrk,
  audit deny @{HOME}/.{,z}log{in,out} wl,

  deny @{HOME}/.zshenv mrk,
  audit deny @{HOME}/.zshenv wl,