<!-- in order to avoid to get image with password text -->
<policy domain="path" rights="none" pattern="@*"/>
<policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
+ <!-- disable ghostscript format types -->
+ <policy domain="coder" rights="none" pattern="PS" />
+ <policy domain="coder" rights="none" pattern="EPI" />
+ <policy domain="coder" rights="none" pattern="PDF" />
+ <policy domain="coder" rights="none" pattern="XPS" />
</policymap>
deny @{HOME}/.*.bak mrwkl,
# special attention to (potentially) executable files
- audit deny @{HOME}/bin/** wl,
- audit deny @{HOME}/.config/autostart/** wl,
- audit deny @{HOME}/.config/upstart/** wl,
- audit deny @{HOME}/.init/** wl,
- audit deny @{HOME}/.kde{,4}/Autostart/** wl,
- audit deny @{HOME}/.kde{,4}/env/** wl,
- audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
+ audit deny @{HOME}/bin/{,**} wl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/autostart/{,**} wl,
+ audit deny @{HOME}/.config/upstart/{,**} wl,
+ audit deny @{HOME}/.init/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/ w,
+ audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
+ audit deny @{HOME}/.kde{,4}/env/{,**} wl,
+ audit deny @{HOME}/.local/{,share/} w,
+ audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
+ audit deny @{HOME}/.pki/ w,
+ audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
#include <abstractions/private-files>
# potentially extremely sensitive files
- audit deny @{HOME}/.gnupg/** mrwkl,
- audit deny @{HOME}/.ssh/** mrwkl,
- audit deny @{HOME}/.gnome2_private/** mrwkl,
- audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2/ w,
+ audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
- audit deny @{HOME}/.mozilla/** mrwkl,
- audit deny @{HOME}/.config/chromium/** mrwkl,
- audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
- audit deny @{HOME}/.evolution/** mrwkl,
- audit deny @{HOME}/.config/evolution/** mrwkl,
- audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
- audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+ audit deny @{HOME}/.mozilla/{,**} mrwkl,
+ audit deny @{HOME}/.config/ w,
+ audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+ audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+ audit deny @{HOME}/.evolution/{,**} mrwkl,
+ audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Do not allow read and/or write to particularly sensitive/problematic files
#include <abstractions/private-files>
- audit deny @{HOME}/.ssh/** mrwkl,
- audit deny @{HOME}/.gnome2_private/** mrwkl,
- audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+ audit deny @{HOME}/.ssh/{,**} mrwkl,
+ audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
+ audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
# Comment this out if using gpg plugin/addons
- audit deny @{HOME}/.gnupg/** mrwkl,
+ audit deny @{HOME}/.gnupg/{,**} mrwkl,
# Allow read to all files user has DAC access to and write for files the user
# owns on removable media and filesystems.
projects / config / bruni / etc-mint.git / commitdiff