diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read index 1a218eb1b..210fd5f27 100644 --- a/apparmor.d/abstractions/user-read +++ b/apparmor.d/abstractions/user-read @@ -1,12 +1,27 @@ - apparmor.d - Full set of apparmor profiles +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction provides safe read access to all directories -# that commonly include user owned files as referenced by the -# filesystem hierarchy standard. Hidden files in $HOME are excluded +# This abstraction gives read access on all defined user directories. It should +# only be used if access to **ALL** folders is required. - owner @{HOME}/ r, - owner @{HOME}/[^.]** r, - owner @{MOUNTDIRS}/{,**} r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r, + owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r, -include if exists + owner @{user_books_dirs}/{,**} r, + owner @{user_documents_dirs}/{,**} r, + owner @{user_games_dirs}/{,**} r, + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_projects_dirs}/{,**} r, + owner @{user_publicshare_dirs}/{,**} r, + owner @{user_sync_dirs}/{,**} r, + owner @{user_templates_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + owner @{user_vm_dirs}/{,**} r, + owner @{user_work_dirs}/{,**} r, + + include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/user-read-all b/apparmor.d/abstractions/user-read-all new file mode 100644 index 000000000..1a218eb1b --- /dev/null +++ b/apparmor.d/abstractions/user-read-all @@ -0,0 +1,12 @@ + apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +# This abstraction provides safe read access to all directories +# that commonly include user owned files as referenced by the +# filesystem hierarchy standard. Hidden files in $HOME are excluded + + owner @{HOME}/ r, + owner @{HOME}/[^.]** r, + owner @{MOUNTDIRS}/{,**} r, + +include if exists