feat(abs): add user-data abstraction.

Warning: experiemental, only for abi 4+, requires a prompting client.

See: https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963
This commit is contained in:
Alexandre Pujol 2024-09-25 15:14:16 +01:00
parent 28b32f1ae3
commit 8fb767a5f9
Failed to generate hash of commit

View file

@ -0,0 +1,49 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Gives access to non-hidden files in user's $HOME.
# Warning: experiemental, only for abi 4+, requires a prompting client.
abi <abi/4.0>,
# Allow accessing the GNOME crypto services prompt APIs as used by
# applications using libgcr (such as pinentry-gnome3) for secure pin
# entry to unlock GPG keys etc. See:
# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
dbus send bus=session path=/org/gnome/keyring/Prompter
interface=org.gnome.keyring.internal.Prompter
member={BeginPrompting,PerformPrompt,StopPrompting}
peer=(name="{@{busname}", label=pinentry-*),
dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
interface=org.gnome.keyring.internal.Prompter.Callback
member={PromptReady,PromptDone}
peer=(name="{@{busname}", label=pinentry-*),
# Allow read access to toplevel $HOME & mounts for the user.
prompt owner @{HOME}/ r,
prompt owner @{MOUNTS}/ r,
# Allow read/write access to all files in @{HOME}, except snap application
# data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
prompt owner @{HOME}/[^s.]** rwlk,
prompt owner @{HOME}/s[^n]** rwlk,
prompt owner @{HOME}/sn[^a]** rwlk,
prompt owner @{HOME}/sna[^p]** rwlk,
prompt owner @{HOME}/snap[^/]** rwlk,
prompt owner @{HOME}/{s,sn,sna}{,/} rwlk,
# Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
# for non-hidden files owned by the user.
prompt owner @{MOUNTS}/[^.]** rwlk,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/bin wl,
include if exists <abstractions/user-data.d>
# vim:syntax=apparmor