# kate: syntax AppArmor Security Profile
# vim:  syntax=apparmor

# Author: Nibaldo Gonzalez <nibgonz@gmail.com>
# Last change: February 07, 2018 

# Block binary execution & mapping of compiled libraries from untrusted sources
audit deny owner /**/* mx,
audit deny @{HOME}/** mx,
audit deny /{data,media,mnt,srv,net,cdrom,var,run,tmp}/** mx,

# Block Python imports from untrusted sources
deny owner /**/**.py* r,
deny @{HOME}/**.py* r,
deny /{data,media,mnt,srv,net,cdrom,var,run,tmp}/**.py* r,

audit deny /dev/{video,audio}* rwlkmx,

# For Windows partition
deny /media/*/[Ww]indows/{Program*,Windows}/{,**} w,
deny /media/*/[Ww]indows/Users/ w,
deny /media/*/[Ww]indows/Users/*/ w,

# Avoid modifications
audit deny @{HOME}/.local/share/applications/** w,
audit deny @{HOME}/.local/share/flatpak/** w,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.app/** w,

audit deny @{HOME}/.* w,
deny @{HOME}/.bash_history r,

# Others
deny /run/udev/data/** rwklmx,
