mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(pass): restrict secret dir path.

Browse source
This commit is contained in:
Alexandre Pujol 2023-04-16 20:46:17 +01:00
parent 15029a198a
commit 03b98ad7de
Failed to generate hash of commit
4 changed files with 1 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/gpg/gpgconf
View file

@ -31,7 +31,6 @@ profile gpgconf @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/ w,
owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**, owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**,
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
owner @{PROC}/@{pid}/task/@{tid}/stat rw, owner @{PROC}/@{pid}/task/@{tid}/stat rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,

1
apparmor.d/groups/gpg/gpgsm
View file

@ -23,7 +23,6 @@ profile gpgsm @{exec_path} {
deny /usr/bin/.gnupg/ w, deny /usr/bin/.gnupg/ w,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,

14
apparmor.d/profiles-m-r/pass
View file

@ -57,8 +57,6 @@ profile pass @{exec_path} {
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/xterm-256color r,
owner @{user_password_store_dirs}/{,**} rw, owner @{user_password_store_dirs}/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/*-store/{,**} rw,
owner /dev/shm/pass.*/{,*} rw, owner /dev/shm/pass.*/{,*} rw,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@ -85,8 +83,6 @@ profile pass @{exec_path} {
owner @{HOME}/.viminf{o,z}{,.tmp} rw, owner @{HOME}/.viminf{o,z}{,.tmp} rw,
owner @{user_password_store_dirs}/{,**/} r, owner @{user_password_store_dirs}/{,**/} r,
owner @{user_projects_dirs}/**/*-store/{,**/} r,
owner @{user_config_dirs}/*-store/{,**/} r,
owner @{user_cache_dirs}/vim/{,**} rw, owner @{user_cache_dirs}/vim/{,**} rw,
owner @{user_config_dirs}/vim/{,**} rw, owner @{user_config_dirs}/vim/{,**} rw,
@ -125,17 +121,13 @@ profile pass @{exec_path} {
owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/ rw,
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
owner @{user_projects_dirs}/**/*-store/ rw,
owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
owner @{user_config_dirs}/*-store/ rw,
owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature owner /tmp/.git_vtag_tmp* rw, # For git log --show-signature
include if exists <local/pass_git> include if exists <local/pass_git>
} }
profile gpg flags=(complain) { profile gpg {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -148,10 +140,6 @@ profile pass @{exec_path} {
owner @{user_password_store_dirs}/ rw, owner @{user_password_store_dirs}/ rw,
owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
owner @{user_projects_dirs}/**/*-store/ rw,
owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
owner @{user_config_dirs}/*-store/ rw,
owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
include if exists <local/pass_gpg> include if exists <local/pass_gpg>
} }

2
apparmor.d/profiles-m-r/pass-import
View file

@ -33,8 +33,6 @@ profile pass-import @{exec_path} {
/usr/share/file/misc/magic.mgc r, /usr/share/file/misc/magic.mgc r,
owner @{user_password_store_dirs}/{,**} rw, owner @{user_password_store_dirs}/{,**} rw,
owner @{user_projects_dirs}/**/*-store/{,**} rw,
owner @{user_config_dirs}/*-store/{,**} rw,
owner /tmp/[a-zA-Z0-9]* rw, owner /tmp/[a-zA-Z0-9]* rw,