feat(profile): small improvement for snap.

2025-08-23 17:40:48 +02:00 · 2025-08-23 17:40:48 +02:00 · bfe35f254e
commit bfe35f254e
parent 15b8a6cea4
2 changed files with 16 additions and 6 deletions
--- a/apparmor.d/groups/snap/snap
+++ b/apparmor.d/groups/snap/snap
@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) {
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability setuid,
  capability sys_admin,
@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) {
  @{DESKTOP_HOME}/snap/{,**} rw,
  /snap/{,**} rw,
-        @{HOME}/snap/{,**} rw,
+  @{HOME}/ r,
-  owner @{HOME}/ r,
+  @{HOME}/.snap.mkdir-new/ rw,
-  owner @{HOME}/.snap.mkdir-new/ rw,
+  @{HOME}/.snap/{,**} rw,
-  owner @{HOME}/.snap/{,**} rw,
+  @{HOME}/snap/{,**} rw,
  owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) {
  /dev/tty@{int} rw,
  /dev/ttyS@{int} rw,
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  /apparmor/.null rw,
  # file_inherit, safe to deny
  deny owner @{user_share_dirs}/gvfs-metadata/* r,
  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/groups/snap/snap-seccomp
+++ b/apparmor.d/groups/snap/snap-seccomp
@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pids}/mountinfo r,
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  /apparmor/.null rw,
  # file_inherit, safe to deny
  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
  deny owner @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/snap-seccomp>
 }