# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER

# Per the first rule of this project:
# As these are mandatory access control policies only what it explicitly required
# should be authorized. Meaning, you should not allow everything (or a large area)
# and blacklist some sub area.

# The only legitimate use in this project is for file browser and search engine.

  deny @{HOME}/.*.bak                     mrwkl,
  deny @{HOME}/.*.swp                     mrwkl,
  deny @{HOME}/.*~                        mrwkl,
  deny @{HOME}/.*~1~                      mrwkl,
  deny @{HOME}/.*age*{,/{,**}}            mrwkl,
  deny @{HOME}/.*aws*{,/{,**}}            mrwkl,
  deny @{HOME}/.*cert*{,/{,**}}           mrwkl,
  deny @{HOME}/.*history                  mrwkl,
  deny @{HOME}/.*key*{,/{,**}}            mrwkl,
  deny @{HOME}/.*pass*{,/{,**}}           mrwkl,
  deny @{HOME}/.*pki*{,/{,**}}            mrwkl,
  deny @{HOME}/.*private*{,/{,**}}        mrwkl,
  deny @{HOME}/.*secret*{,/{,**}}         mrwkl,
  deny @{HOME}/.*yubi*{,/{,**}}           mrwkl,
  deny @{HOME}/.fetchmail*                mrwkl,
  deny @{HOME}/.lesshst*                  mrwkl,
  deny @{HOME}/.mozilla/{,**}             mrwkl,
  deny @{HOME}/.mutt*                     mrwkl,
  deny @{HOME}/.thunderbird/{,**}         mrwkl,
  deny @{HOME}/.viminfo*                  mrwkl,
  deny @{HOME}/.wget-hsts                 mrwkl,
  deny @{HOME}/@{XDG_GPG_DIR}/{,**}       mrwkl,
  deny @{HOME}/@{XDG_SSH_DIR}/{,**}       mrwkl,
  deny @{user_config_dirs}/*-store/{,**}  mrwkl,
  deny @{user_config_dirs}/chromium/{,**} mrwkl,
  deny @{user_password_store_dirs}/{,**}  mrwkl,
  deny @{user_share_dirs}/kwalletd/{,**}  mrwkl,

  # Deny executable mapping in writable space as allowed in abstractions/fonts
  deny @{HOME}/.{,cache/}fontconfig/ rw,
  deny @{HOME}/.{,cache/}fontconfig/** mrwl,

  # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
  deny @{HOME}/.Private/** mrxwlk,
  deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,

  include if exists <abstractions/deny-sensitive-home.d>
