# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
#
# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example

#
# This file contains the roles as referenced by pam/mappings
#

abi <abi/4.0>,

include <tunables/global>

# By default, allow users to read, lock and link to their own files anywhere,
# but only write to files in their home directory. Only allow limited execution
# of files.
profile default_user flags=(complain) {
  include <abstractions/base>
  include <abstractions/bash-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  deny capability sys_ptrace,

  @{bin}/**  Pixmr,

  owner /** rkl,
  @{PROC}/** r,

  owner @{HOMEDIRS}/ w,
  owner @{HOMEDIRS}/** w,

}

# Allow confined_users to read, write, lock and link to their own files
# anywhere, and execute from some places.
profile confined_user flags=(complain) {
  include <abstractions/base>
  include <abstractions/bash-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  deny capability sys_ptrace,

  @{bin}/**  Pixmr,
  owner @{HOMEDIRS}/bin/** ixmr,
  owner @{user_bin_dirs}/** ixmr,

  owner /** rwkl,
  @{PROC}/** r,

}
