# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# By default, allow users to read, lock and link to their own files anywhere,
# but only write to files in their home directory. Only allow limited execution
# of files.

abi <abi/4.0>,

include <tunables/global>

profile user_default flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

  deny capability sys_ptrace,

  @{bin}/**  Pixmr,

  owner /** rkl,
  owner @{HOMEDIRS}/ w,
  owner @{HOMEDIRS}/** w,

  @{PROC}/** r,

  include if exists <local/user_default>
}

# vim:syntax=apparmor
