mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
feat(abs): add user-data abstraction.
Warning: experiemental, only for abi 4+, requires a prompting client. See: https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963
This commit is contained in:
parent
28b32f1ae3
commit
8fb767a5f9
1 changed files with 49 additions and 0 deletions
49
apparmor.d/abstractions/user-data
Normal file
49
apparmor.d/abstractions/user-data
Normal file
|
@ -0,0 +1,49 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# Gives access to non-hidden files in user's $HOME.
|
||||
# Warning: experiemental, only for abi 4+, requires a prompting client.
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
# Allow accessing the GNOME crypto services prompt APIs as used by
|
||||
# applications using libgcr (such as pinentry-gnome3) for secure pin
|
||||
# entry to unlock GPG keys etc. See:
|
||||
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
|
||||
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
|
||||
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
|
||||
dbus send bus=session path=/org/gnome/keyring/Prompter
|
||||
interface=org.gnome.keyring.internal.Prompter
|
||||
member={BeginPrompting,PerformPrompt,StopPrompting}
|
||||
peer=(name="{@{busname}", label=pinentry-*),
|
||||
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
|
||||
interface=org.gnome.keyring.internal.Prompter.Callback
|
||||
member={PromptReady,PromptDone}
|
||||
peer=(name="{@{busname}", label=pinentry-*),
|
||||
|
||||
# Allow read access to toplevel $HOME & mounts for the user.
|
||||
prompt owner @{HOME}/ r,
|
||||
prompt owner @{MOUNTS}/ r,
|
||||
|
||||
# Allow read/write access to all files in @{HOME}, except snap application
|
||||
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
|
||||
prompt owner @{HOME}/[^s.]** rwlk,
|
||||
prompt owner @{HOME}/s[^n]** rwlk,
|
||||
prompt owner @{HOME}/sn[^a]** rwlk,
|
||||
prompt owner @{HOME}/sna[^p]** rwlk,
|
||||
prompt owner @{HOME}/snap[^/]** rwlk,
|
||||
prompt owner @{HOME}/{s,sn,sna}{,/} rwlk,
|
||||
|
||||
# Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
|
||||
# for non-hidden files owned by the user.
|
||||
prompt owner @{MOUNTS}/[^.]** rwlk,
|
||||
|
||||
# Disallow writes to the well-known directory included in
|
||||
# the user's PATH on several distributions
|
||||
audit deny @{HOME}/bin/{,**} wl,
|
||||
audit deny @{HOME}/bin wl,
|
||||
|
||||
include if exists <abstractions/user-data.d>
|
||||
|
||||
# vim:syntax=apparmor
|
Loading…
Reference in a new issue