# Apparmor 3.0.0 Copyright (C) 2009-2020 Canonical Ltd.
#
# Hardened profile for keepassx

#include <tunables/home>
#include <tunables/fonts>
#include <tunables/lib>
#include <tunables/qt5>

# Path to the binary
/usr/bin/keepassx {

   # Enforce deny network access

   deny network,
   deny network raw,

   # /proc

   /proc/sys/kernel/random/boot_id r,

   # /dev

   /dev/urandom r,

   @{lib}** rm, # Basic lib

   # /usr/lib
   /usr/lib/libbsd* rm,
   /usr/lib/libg{pg,lapi,raphite2,lib-2.0,bm,crypt}* rm,
   /usr/lib/libG{L,LESv2}* rm,
   /usr/lib/libharfbuzz* rm,
   /usr/lib/libp{ng16,cre2}* rm,
   /usr/lib/libd{rm,ouble-conversion}* rm,
   /usr/lib/libfreetype* rm,
   /usr/lib/libexpat* rm,
   /usr/lib/libx* rm,
   /usr/lib/libICE* rm,
   /usr/lib/libSM* rm,
   /usr/lib/libX* rm,
   /usr/lib/libjpeg* rm,
   /usr/lib/libfontconfig* rm,
   /usr/lib/libEGL* rm,


   @{qt5}** rm, # Qt5 lib / modules

   @{fonts}** r, # Fonts

   # Basic user files 
   
   owner @{HOME}/.Xauthority r,
   
   # Specific for keepassx

   /usr/share/keepassx/** r,
   owner @{HOME}/.config/#{,0-9}* rwkl,
   owner @{HOME}/.config/QtProject.{conf,conf.lock,conf.*} rwkl,
   owner @{HOME}/.config/keepassx/* rwkl,
   owner @{HOME}/#{,0-9}* rwkl,
   owner @{HOME}/**.{kdb,kdbx,kdbx.lock,kdbx.*} rwkl,

}