MVP of AppArmor profile that only deny access specific folder

[fititnt]

Related

• MVP of AppArmor profile that only deny access to internet MVP of AppArmor profile that only deny access to internet #32

---

Let's do an minimum viable product (MVP) of AppArmor profile that shows how to at block access to specific folder even if running under user who runs the application do have access to the folders.

The #32 is interesting for apps (and not only binaries) that should not have access to internet. But what about software like Zoom, Skype, Spotify, Slack, etc that should have access to internet but could still access private files? Looking deeper on AppArmor, most softwares that ship with Ubuntu, even the ones that already are not isolated with Snaps, do have AppArmor profiles. But this is likely to not apply to other apps.

[fititnt]

Ubuntu 20.04 already have some interesting abstractions

/etc/apparmor.d/abstractions/private-files-strict

# vim:syntax=apparmor
# privacy-violations-strict contains additional rules for sensitive
# files that you want to explicitly deny access

  #include <abstractions/private-files>

  # potentially extremely sensitive files
  audit deny @{HOME}/.aws/{,**} mrwkl,
  audit deny @{HOME}/.gnupg/{,**} mrwkl,
  audit deny @{HOME}/.ssh/{,**} mrwkl,
  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
  audit deny @{HOME}/.gnome2/ w,
  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
  # don't allow access to any gnome-keyring modules
  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
  audit deny @{HOME}/.mozilla/{,**} mrwkl,
  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
  audit deny @{HOME}/.evolution/{,**} mrwkl,
  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
  audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,

/etc/apparmor.d/abstractions/private-files

# vim:syntax=apparmor
# privacy-violations contains rules for common files that you want to
# explicitly deny access

  # privacy violations (don't audit files under $HOME otherwise get a
  # lot of false positives when reading contents of directories)
  deny @{HOME}/.*history mrwkl,
  deny @{HOME}/.fetchmail* mrwkl,
  deny @{HOME}/.mutt** mrwkl,
  deny @{HOME}/.viminfo* mrwkl,
  deny @{HOME}/.*~ mrwkl,
  deny @{HOME}/.*.swp mrwkl,
  deny @{HOME}/.*~1~ mrwkl,
  deny @{HOME}/.*.bak mrwkl,

  # special attention to (potentially) executable files
  audit deny @{HOME}/bin/{,**} wl,
  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/autostart/{,**} wl,
  audit deny @{HOME}/.config/upstart/{,**} wl,
  audit deny @{HOME}/.init/{,**} wl,
  audit deny @{HOME}/.kde{,4}/ w,
  audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl,
  audit deny @{HOME}/.kde{,4}/env/{,**} wl,
  audit deny @{HOME}/.local/{,share/} w,
  audit deny @{HOME}/.local/share/thumbnailers/{,**} wl,
  audit deny @{HOME}/.pki/ w,
  audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl,

  # don't allow reading/updating of run control files
  deny @{HOME}/.*rc mrk,
  audit deny @{HOME}/.*rc wl,

  # bash
  deny @{HOME}/.bash* mrk,
  audit deny @{HOME}/.bash* wl,
  deny @{HOME}/.inputrc mrk,
  audit deny @{HOME}/.inputrc wl,

  # sh/dash/csh/tcsh/pdksh/zsh
  deny @{HOME}/.{,z}profile* mrk,
  audit deny @{HOME}/.{,z}profile* wl,
  deny @{HOME}/.{,z}log{in,out} mrk,
  audit deny @{HOME}/.{,z}log{in,out} wl,

  deny @{HOME}/.zshenv mrk,
  audit deny @{HOME}/.zshenv wl,