From b50469294e1c90d210e8f1f8a8ede2de38b99027 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 9 Feb 2020 00:27:05 +0000
Subject: [PATCH 1/2] Deny write access to hard drives

---
 etc/apparmor.d/abstractions/init-systemd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/apparmor.d/abstractions/init-systemd b/etc/apparmor.d/abstractions/init-systemd
index 04c4f26..168a1d8 100644
--- a/etc/apparmor.d/abstractions/init-systemd
+++ b/etc/apparmor.d/abstractions/init-systemd
@@ -228,7 +228,7 @@
   /dev/kvm rw,
   owner /dev/sr0 rwk,
   /dev/log rw,
-  owner /dev/sd* rwmk,
+  owner /dev/sd* r,
   owner /dev/kmsg rw,
   owner /dev/fb0 rw,
   owner /dev/vga_arbiter rw,

From 46a6e909de7fac0283109b0f9e7ca25f6c09f0bf Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Sun, 9 Feb 2020 00:28:38 +0000
Subject: [PATCH 2/2] Deny write access to hard drives

---
 etc/apparmor.d/abstractions/dangerous-files | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/etc/apparmor.d/abstractions/dangerous-files b/etc/apparmor.d/abstractions/dangerous-files
index 399f677..8085e75 100644
--- a/etc/apparmor.d/abstractions/dangerous-files
+++ b/etc/apparmor.d/abstractions/dangerous-files
@@ -132,3 +132,7 @@
   audit deny /var/lib/hardened-kernel/** rw,
   audit deny /usr/share/hardened-kernel/ rw,
   audit deny /usr/share/hardened-kernel/** rw,
+
+  ## Deny write access to hard drives. Otherwise, an attacker can write to
+  ## e.g. /dev/sda to bypass restrictions.
+  audit deny /dev/sd* rw,