Merge pull request #37 from madaidan/drives

Deny write access to hard drives

etc/apparmor.d/abstractions/dangerous-files

@@ -132,3 +132,7 @@
   audit deny /var/lib/hardened-kernel/** rw,
   audit deny /usr/share/hardened-kernel/ rw,
   audit deny /usr/share/hardened-kernel/** rw,
+
+  ## Deny write access to hard drives. Otherwise, an attacker can write to
+  ## e.g. /dev/sda to bypass restrictions.
+  audit deny /dev/sd* rw,

etc/apparmor.d/abstractions/init-systemd

@@ -228,7 +228,7 @@
   /dev/kvm rw,
   owner /dev/sr0 rwk,
   /dev/log rw,
-  owner /dev/sd* rwmk,
+  owner /dev/sd* r,
   owner /dev/kmsg rw,
   owner /dev/fb0 rw,
   owner /dev/vga_arbiter rw,