From d0a8030af8ed1d63c3045a2be3edd4422d4e597e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 1 Oct 2022 19:18:54 +0100
Subject: [PATCH] fix(profile): add deny-sensitive-home abstraction.

---
 apparmor.d/abstractions/deny-sensitive-home | 36 +++++++++++++++++++++
 apparmor.d/groups/gnome/nautilus            |  1 +
 apparmor.d/groups/gnome/tracker-miner       |  1 +
 3 files changed, 38 insertions(+)
 create mode 100644 apparmor.d/abstractions/deny-sensitive-home

diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home
new file mode 100644
index 000000000..6fa612e86
--- /dev/null
+++ b/apparmor.d/abstractions/deny-sensitive-home
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER
+
+# Per the first rule of this project:
+# As these are mandatory access control policies only what it explicitly required
+# should be authorized. Meaning, you should not allow everything (or a large area)
+# and blacklist some sub area.
+
+# Use in this project: file browser and search engine
+
+  deny @{HOME}/.*_history            rwlk,
+  deny @{HOME}/.*age*{,/{,**}}       rwlk,
+  deny @{HOME}/.*cert*{,/{,**}}      rwlk,
+  deny @{HOME}/.*key*{,/{,**}}       rwlk,
+  deny @{HOME}/.*pass*{,/{,**}}      rwlk,
+  deny @{HOME}/.*pki*{,/{,**}}       rwlk,
+  deny @{HOME}/.*private*{,/{,**}}   rwlk,
+  deny @{HOME}/.*secret*{,/{,**}}    rwlk,
+  deny @{HOME}/.*yubi*{,/{,**}}      rwlk,
+  deny @{HOME}/.lesshst*             rwlk,
+  deny @{HOME}/.wget-hsts            rwlk,
+  deny @{HOME}/@{XDG_GPG_DIR}/{,**}  rwlk,
+  deny @{HOME}/@{XDG_SSH_DIR}/{,**}  rwlk,
+
+  # Deny executable mapping in writable space as allowed in abstractions/fonts
+  deny @{HOME}/.{,cache/}fontconfig/ rw,
+  deny @{HOME}/.{,cache/}fontconfig/** mrwl,
+
+  # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
+  deny @{HOME}/.Private/** mrxwlk,
+  deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,
+
+  include if exists <abstractions/deny-sensitive-home.d>
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 1fb5d94cd..a25a92e0f 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -58,6 +58,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner /tmp/{,**} rw,
 
   # Silence non user's data
+  include <abstractions/deny-sensitive-home>
   deny /boot/{,**} r,
   deny /opt/{,**} r,
   deny /root/{,**} r,
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index 4102052d6..53c8e1085 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -12,6 +12,7 @@ profile tracker-miner @{exec_path} {
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>