feat(abs): add the secrets-service abs.

apparmor.d/abstractions/bus/session/org.freedesktop.Secret

@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Provide full access to the secret-service API:
+# - https://standards.freedesktop.org/secret-service/)
+#
+# The secret-service allows managing (add/delete/lock/etc) collections and
+# (add/delete/etc) items within collections. The API also has the concept of
+# aliases for collections which is typically used to access the default
+# collection. While it would be possible for an application developer to use a
+# snap-specific collection and mediate by object path, application developers
+# are meant to instead to treat collections (typically the default collection)
+# as a database of key/value attributes each with an associated secret that
+# applications may query. Because AppArmor does not mediate member data,
+# typical and recommended usage of the API does not allow for application
+# isolation. For details, see:
+# - https://standards.freedesktop.org/secret-service/ch03.html
+#
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon
+
+  dbus send bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus receive bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=ReadAlias
+       peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=SearchItems
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Secret.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/secrets-service

@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Provide full access to the secret-service API:
+# - https://standards.freedesktop.org/secret-service/)
+#
+# The secret-service allows managing (add/delete/lock/etc) collections and
+# (add/delete/etc) items within collections. The API also has the concept of
+# aliases for collections which is typically used to access the default
+# collection. While it would be possible for an application developer to use a
+# snap-specific collection and mediate by object path, application developers
+# are meant to instead to treat collections (typically the default collection)
+# as a database of key/value attributes each with an associated secret that
+# applications may query. Because AppArmor does not mediate member data,
+# typical and recommended usage of the API does not allow for application
+# isolation. For details, see:
+# - https://standards.freedesktop.org/secret-service/ch03.html
+#
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.freedesktop.Secret>
+
+  dbus send bus=session path=/org/gnome/keyring/daemon
+       interface=org.gnome.keyring.Daemon
+       member=GetEnvironment
+       peer=(name=org.gnome.keyring, label=gnome-keyring-daemon),
+
+  include if exists <abstractions/secrets-service.d>
+
+# vim:syntax=apparmor