add new read abstraction

2024-02-06 21:51:52 +01:00 · 2024-02-06 21:51:52 +01:00 · ca05b649ca
commit ca05b649ca
parent 968da5518b
2 changed files with 35 additions and 23 deletions
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -1,27 +1,12 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+ apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only

-# This abstraction gives read access on all defined user directories. It should
-# only be used if access to **ALL** folders is required.
+# This abstraction provides safe read access to all directories
+# that commonly include user owned files as referenced by the 
+# filesystem hierarchy standard. Hidden files in $HOME are excluded

-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
-  owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
-  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
-
-  owner @{user_books_dirs}/{,**} r,
-  owner @{user_documents_dirs}/{,**} r,
-  owner @{user_games_dirs}/{,**} r,
-  owner @{user_music_dirs}/{,**} r,
-  owner @{user_pictures_dirs}/{,**} r,
-  owner @{user_projects_dirs}/{,**} r,
-  owner @{user_publicshare_dirs}/{,**} r,
-  owner @{user_sync_dirs}/{,**} r,
-  owner @{user_templates_dirs}/{,**} r,
-  owner @{user_torrents_dirs}/{,**} r,
-  owner @{user_videos_dirs}/{,**} r,
-  owner @{user_vm_dirs}/{,**} r,
-  owner @{user_work_dirs}/{,**} r,
+  owner @{HOME}/ r,
+  owner @{HOME}/[^.]**  r,
+  owner @{MOUNTDIRS}/{,**} r,

 include if exists <abstractions/user-read.d>
--- a/apparmor.d/abstractions/user-xdg-read
+++ b/apparmor.d/abstractions/user-xdg-read
@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This abstraction gives read access on all defined user directories. It should
+# only be used if access to **ALL** folders is required.
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+
+  owner @{user_books_dirs}/{,**} r,
+  owner @{user_documents_dirs}/{,**} r,
+  owner @{user_games_dirs}/{,**} r,
+  owner @{user_music_dirs}/{,**} r,
+  owner @{user_pictures_dirs}/{,**} r,
+  owner @{user_projects_dirs}/{,**} r,
+  owner @{user_publicshare_dirs}/{,**} r,
+  owner @{user_sync_dirs}/{,**} r,
+  owner @{user_templates_dirs}/{,**} r,
+  owner @{user_torrents_dirs}/{,**} r,
+  owner @{user_videos_dirs}/{,**} r,
+  owner @{user_vm_dirs}/{,**} r,
+  owner @{user_work_dirs}/{,**} r,
+
+  include if exists <abstractions/user-read.d>