Add browserpass profile.

apparmor.d/groups/browsers/chromium-chromium

@@ -58,7 +58,7 @@ profile chromium-chromium @{exec_path} {
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
-  /{usr/,}bin/browserpass       rUx,
+  /{usr/,}bin/browserpass       rPx,
 
   /{usr/,}bin/lsb_release        rPx -> child-lsb_release,
   /{usr/,}bin/xdg-mime          rPUx,

apparmor.d/groups/browsers/firefox

@@ -166,7 +166,7 @@ profile firefox @{exec_path} {
 
   /{usr/,}bin/gpa              rPUx,
   /{usr/,}bin/keepassxc-proxy  rPUx, # For storing passwords externally
-  /{usr/,}bin/browserpass       rUx,
+  /{usr/,}bin/browserpass       rPx,
 
   /{usr/,}bin/lsb_release       rPx -> child-lsb_release,
 

apparmor.d/profiles-a-l/browserpass

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/browserpass
+profile browserpass @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  deny network inet6 stream,
+  deny network inet stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/gpg rUx,
+
+  owner @{HOME}/.password-store/{,**} r,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/browserpass>
+}