# kate: syntax AppArmor Security Profile
# vim:  syntax=apparmor

# Last change: March 13, 2019

# Files and directories with sensitive data,
# such as keys, passwords, settings or others:

@{SSHKEYS} = @{HOME}/.ssh/{,**}
@{PGPKEYS} = @{HOME}/.gnupg/{,**}
@{ANDROIDKEYS} = @{HOME}/.android-keys/{,**}
@{KWALLET} = @{HOME}/.kde{,4}/share/apps/kwallet/{,**} @{HOME}/.local/share/kwalletd/{,**}

@{MUTT} = @{HOME}/.mutt/** @{HOME}/.muttrc
@{THUNDERBIRD} = @{HOME}/.thunderbird/{,**} @{HOME}/.cache/thunderbird/**
@{THUNDERBIRD_SPECIFIC} = @{HOME}/.thunderbird/ @{HOME}/.thunderbird/profiles.ini @{HOME}/.thunderbird/*/{,**} @{HOME}/.cache/thunderbird/**
@{MOZILLA} = @{HOME}/.mozilla/*/{,**} @{HOME}/.cache/mozilla/firefox/*/{,**}
@{OPERA} = @{HOME}/.config/opera/{,**} @{HOME}/.cache/opera/**
@{VIVALDI} = @{HOME}/.config/vivaldi/{,**} @{HOME}/.cache/vivaldi/**
@{CHROME} =  @{HOME}/.config/chromium/{,**} @{HOME}/.config/google-chrome/{,**} @{HOME}/.cache/{chromium,google-chrome}/**
@{CHROME} += @{HOME}/.encrypted-volume/chromium/{,**} @{HOME}/.encrypted-volume/google-chrome/{,**}
@{BRAVE} = @{HOME}/.config/BraveSoftware/{,**} @{HOME}/.cache/BraveSoftware/**
@{TELEGRAM} = @{HOME}/.TelegramDesktop/{,**} @{HOME}/.var/app/org.telegram.desktop/{,**}

@{USER_HISTORY} = @{HOME}/.local/share/recently-used.xbel @{HOME}/.kde/share/apps/RecentDocuments/** @{HOME}/.cache/thumbnails/**
#@{FLATPAK} = @{HOME}/.var/app/** @{HOME}/.local/share/flatpak/{app,db,repo,runtime,system-cache}/**

# System
@{SYSTEM_SEC} =  /boot/** /var/log/**
@{SYSTEM_SEC} += @{HOME}/.config/autostart{,-scripts}/** /etc/xdg/autostart/**
@{SYSTEM_SEC} += /etc/init.d/** /etc/cron.*/** /etc/initramfs-tools/** /etc/systemd/** /etc/xdg/systemd/**
@{SYSTEM_SEC} += /etc/apparmor.d/** /etc/apparmor/** /var/lib/apparmor/**

# The following variables allow blocking access to confidential data
# or data from other applications.
# For example, for Mozilla Firefox, use:
#   deny @{CONFIDENTIAL_EXCEPT_MOZILLA} rwklmx,
# Also, you can use abstraction:
#   include <abstractions/confidential-deny>

@{CONFIDENTIAL} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_SSHKEYS} =  @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_SSHKEYS} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_PGPKEYS} =  @{SSHKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_PGPKEYS} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_KWALLET} =  @{SSHKEYS} @{PGPKEYS} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_KWALLET} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_MOZILLA} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_MOZILLA} += @{MUTT} @{THUNDERBIRD} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_CHROME} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_CHROME} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_OPERA} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_OPERA} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_MUTT} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_MUTT} += @{THUNDERBIRD} @{OPERA} @{MOZILLA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_THUNDERBIRD} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_THUNDERBIRD} += @{MUTT} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_TELEGRAM} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_TELEGRAM} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE}

@{CONFIDENTIAL_EXCEPT_VIVALDI} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_VIVALDI} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{BRAVE} @{TELEGRAM}

@{CONFIDENTIAL_EXCEPT_BRAVE} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{USER_HISTORY} @{SYSTEM_SEC}
@{CONFIDENTIAL_EXCEPT_BRAVE} += @{MUTT} @{THUNDERBIRD} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{TELEGRAM}

@{CONFIDENTIAL_VIEWER} =  @{SSHKEYS} @{PGPKEYS} @{KWALLET} @{ANDROIDKEYS} @{SYSTEM_SEC}
@{CONFIDENTIAL_VIEWER} += @{MUTT} @{THUNDERBIRD_SPECIFIC} @{MOZILLA} @{OPERA} @{CHROME} @{VIVALDI} @{BRAVE} @{TELEGRAM}
