Open fititnt opened 3 years ago
Ubuntu 20.04 already have some interesting abstractions
/etc/apparmor.d/abstractions/private-files-strict
# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access
#include <abstractions/private-files>
# potentially extremely sensitive files
audit deny @{HOME}/.aws/{,**} mrwkl,
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
# don't allow access to any gnome-keyring modules
audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
audit deny @{HOME}/.mozilla/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
/etc/apparmor.d/abstractions/private-files
# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access
# privacy violations (don't audit files under $HOME otherwise get a
# lot of false positives when reading contents of directories)
deny @{HOME}/.*history mrwkl,
deny @{HOME}/.fetchmail* mrwkl,
deny @{HOME}/.mutt** mrwkl,
deny @{HOME}/.viminfo* mrwkl,
deny @{HOME}/.*~ mrwkl,
deny @{HOME}/.*.swp mrwkl,
deny @{HOME}/.*~1~ mrwkl,
deny @{HOME}/.*.bak mrwkl,
# special attention to (potentially) executable files
audit deny @{HOME}/bin/{,**} wl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/autostart/{,**} wl,
audit deny @{HOME}/.config/upstart/{,**} wl,
audit deny @{HOME}/.init/{,**} wl,
audit deny @{HOME}/.kde{,4}/ w,
audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
audit deny @{HOME}/.kde{,4}/env/{,**} wl,
audit deny @{HOME}/.local/{,share/} w,
audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
audit deny @{HOME}/.pki/ w,
audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
audit deny @{HOME}/.*rc wl,
# bash
deny @{HOME}/.bash* mrk,
audit deny @{HOME}/.bash* wl,
deny @{HOME}/.inputrc mrk,
audit deny @{HOME}/.inputrc wl,
# sh/dash/csh/tcsh/pdksh/zsh
deny @{HOME}/.{,z}profile* mrk,
audit deny @{HOME}/.{,z}profile* wl,
deny @{HOME}/.{,z}log{in,out} mrk,
audit deny @{HOME}/.{,z}log{in,out} wl,
deny @{HOME}/.zshenv mrk,
audit deny @{HOME}/.zshenv wl,
Related
Let's do an minimum viable product (MVP) of AppArmor profile that shows how to at block access to specific folder even if running under user who runs the application do have access to the folders.
The #32 is interesting for apps (and not only binaries) that should not have access to internet. But what about software like Zoom, Skype, Spotify, Slack, etc that should have access to internet but could still access private files? Looking deeper on AppArmor, most softwares that ship with Ubuntu, even the ones that already are not isolated with Snaps, do have AppArmor profiles. But this is likely to not apply to other apps.