fix(profile): add deny-sensitive-home abstraction.

2024-11-14 23:43:56 +01:00 · 2022-10-01 19:18:54 +01:00 · 2022-10-01 19:18:54 +01:00 · d0a8030af8
commit d0a8030af8
parent 8a55eb8330
3 changed files with 38 additions and 0 deletions
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER
+
+# Per the first rule of this project:
+# As these are mandatory access control policies only what it explicitly required
+# should be authorized. Meaning, you should not allow everything (or a large area)
+# and blacklist some sub area.
+
+# Use in this project: file browser and search engine
+
+  deny @{HOME}/.*_history            rwlk,
+  deny @{HOME}/.*age*{,/{,**}}       rwlk,
+  deny @{HOME}/.*cert*{,/{,**}}      rwlk,
+  deny @{HOME}/.*key*{,/{,**}}       rwlk,
+  deny @{HOME}/.*pass*{,/{,**}}      rwlk,
+  deny @{HOME}/.*pki*{,/{,**}}       rwlk,
+  deny @{HOME}/.*private*{,/{,**}}   rwlk,
+  deny @{HOME}/.*secret*{,/{,**}}    rwlk,
+  deny @{HOME}/.*yubi*{,/{,**}}      rwlk,
+  deny @{HOME}/.lesshst*             rwlk,
+  deny @{HOME}/.wget-hsts            rwlk,
+  deny @{HOME}/@{XDG_GPG_DIR}/{,**}  rwlk,
+  deny @{HOME}/@{XDG_SSH_DIR}/{,**}  rwlk,
+
+  # Deny executable mapping in writable space as allowed in abstractions/fonts
+  deny @{HOME}/.{,cache/}fontconfig/ rw,
+  deny @{HOME}/.{,cache/}fontconfig/** mrwl,
+
+  # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
+  deny @{HOME}/.Private/** mrxwlk,
+  deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,
+
+  include if exists <abstractions/deny-sensitive-home.d>
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -58,6 +58,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  owner /tmp/{,**} rw,

  # Silence non user's data
+  include <abstractions/deny-sensitive-home>
  deny /boot/{,**} r,
  deny /opt/{,**} r,
  deny /root/{,**} r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -12,6 +12,7 @@ profile tracker-miner @{exec_path} {
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
  include <abstractions/disks-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>