# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Allow confined users to read, write, lock and link to their own files
# anywhere, and execute from some places.

abi <abi/4.0>,

include <tunables/global>

profile user_confined flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

  deny capability sys_ptrace,

  @{bin}/**  Pixmr,

  owner /** rwkl,
  owner @{HOMEDIRS}/bin/** ixmr,
  owner @{user_bin_dirs}/** ixmr,

  @{PROC}/** r,

  include if exists <local/user_confined>
}

# vim:syntax=apparmor
