feat(abs): add user-data abstraction.

Warning: experiemental, only for abi 4+, requires a prompting client. See: https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963
2024-11-14 15:33:47 +01:00 · 2024-09-25 15:14:16 +01:00 · 2024-09-25 15:14:16 +01:00 · 8fb767a5f9
commit 8fb767a5f9
parent 28b32f1ae3
1 changed files with 49 additions and 0 deletions
--- a/apparmor.d/abstractions/user-data
+++ b/apparmor.d/abstractions/user-data
@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Gives access to non-hidden files in user's $HOME.
+# Warning: experiemental, only for abi 4+, requires a prompting client.
+
+  abi <abi/4.0>,
+
+  # Allow accessing the GNOME crypto services prompt APIs as used by
+  # applications using libgcr (such as pinentry-gnome3) for secure pin
+  # entry to unlock GPG keys etc. See:
+  # https://developer.gnome.org/gcr/unstable/GcrPrompt.html
+  # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
+  # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
+  dbus send bus=session path=/org/gnome/keyring/Prompter
+       interface=org.gnome.keyring.internal.Prompter
+       member={BeginPrompting,PerformPrompt,StopPrompting}
+       peer=(name="{@{busname}", label=pinentry-*),
+  dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
+       interface=org.gnome.keyring.internal.Prompter.Callback
+       member={PromptReady,PromptDone}
+       peer=(name="{@{busname}", label=pinentry-*),
+
+  # Allow read access to toplevel $HOME & mounts for the user.
+  prompt owner @{HOME}/ r,
+  prompt owner @{MOUNTS}/ r,
+
+  # Allow read/write access to all files in @{HOME}, except snap application
+  # data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
+  prompt owner @{HOME}/[^s.]**             rwlk,
+  prompt owner @{HOME}/s[^n]**             rwlk,
+  prompt owner @{HOME}/sn[^a]**            rwlk,
+  prompt owner @{HOME}/sna[^p]**           rwlk,
+  prompt owner @{HOME}/snap[^/]**          rwlk,
+  prompt owner @{HOME}/{s,sn,sna}{,/}      rwlk,
+
+  # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
+  # for non-hidden files owned by the user.
+  prompt owner @{MOUNTS}/[^.]**            rwlk,
+
+  # Disallow writes to the well-known directory included in
+  # the user's PATH on several distributions
+  audit deny @{HOME}/bin/{,**} wl,
+  audit deny @{HOME}/bin wl,
+
+  include if exists <abstractions/user-data.d>
+
+# vim:syntax=apparmor