From f19379c55fd60c2814341868ec55c55a65023172 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 1 Feb 2023 22:34:54 +0000 Subject: [PATCH] feat(abs): extend deny-sensitive with new user_password_store_dirs var. --- apparmor.d/abstractions/deny-sensitive-home | 28 +++++++++++---------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 6fa612e8..ad49264c 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -11,19 +11,21 @@ # Use in this project: file browser and search engine - deny @{HOME}/.*_history rwlk, - deny @{HOME}/.*age*{,/{,**}} rwlk, - deny @{HOME}/.*cert*{,/{,**}} rwlk, - deny @{HOME}/.*key*{,/{,**}} rwlk, - deny @{HOME}/.*pass*{,/{,**}} rwlk, - deny @{HOME}/.*pki*{,/{,**}} rwlk, - deny @{HOME}/.*private*{,/{,**}} rwlk, - deny @{HOME}/.*secret*{,/{,**}} rwlk, - deny @{HOME}/.*yubi*{,/{,**}} rwlk, - deny @{HOME}/.lesshst* rwlk, - deny @{HOME}/.wget-hsts rwlk, - deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk, - deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, + deny @{HOME}/.*_history rwlk, + deny @{HOME}/.*age*{,/{,**}} rwlk, + deny @{HOME}/.*cert*{,/{,**}} rwlk, + deny @{HOME}/.*key*{,/{,**}} rwlk, + deny @{HOME}/.*pass*{,/{,**}} rwlk, + deny @{HOME}/.*pki*{,/{,**}} rwlk, + deny @{HOME}/.*private*{,/{,**}} rwlk, + deny @{HOME}/.*secret*{,/{,**}} rwlk, + deny @{HOME}/.*yubi*{,/{,**}} rwlk, + deny @{HOME}/.lesshst* rwlk, + deny @{HOME}/.wget-hsts rwlk, + deny @{HOME}/@{XDG_GPG_DIR}/{,**} rwlk, + deny @{HOME}/@{XDG_SSH_DIR}/{,**} rwlk, + deny @{user_config_dirs}/*-store/{,**} rwlk, + deny @{user_password_store_dirs}/{,**} rwlk, # Deny executable mapping in writable space as allowed in abstractions/fonts deny @{HOME}/.{,cache/}fontconfig/ rw,