diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data new file mode 100644 index 000000000..6406b3e84 --- /dev/null +++ b/apparmor.d/abstractions/user-data @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Gives access to non-hidden files in user's $HOME. +# Warning: experiemental, only for abi 4+, requires a prompting client. + + abi , + + # Allow accessing the GNOME crypto services prompt APIs as used by + # applications using libgcr (such as pinentry-gnome3) for secure pin + # entry to unlock GPG keys etc. See: + # https://developer.gnome.org/gcr/unstable/GcrPrompt.html + # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html + # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name="{@{busname}", label=pinentry-*), + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name="{@{busname}", label=pinentry-*), + + # Allow read access to toplevel $HOME & mounts for the user. + prompt owner @{HOME}/ r, + prompt owner @{MOUNTS}/ r, + + # Allow read/write access to all files in @{HOME}, except snap application + # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. + prompt owner @{HOME}/[^s.]** rwlk, + prompt owner @{HOME}/s[^n]** rwlk, + prompt owner @{HOME}/sn[^a]** rwlk, + prompt owner @{HOME}/sna[^p]** rwlk, + prompt owner @{HOME}/snap[^/]** rwlk, + prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, + + # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) + # for non-hidden files owned by the user. + prompt owner @{MOUNTS}/[^.]** rwlk, + + # Disallow writes to the well-known directory included in + # the user's PATH on several distributions + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/bin wl, + + include if exists + +# vim:syntax=apparmor