How to disable access to document directories? #339

beroal · 2024-05-29T17:08:49Z

beroal
May 29, 2024

Hi. I want to use this set of profiles, but I don't like the policy that programs have access to document directories by default. An example of a document directory is @{MOUNTS}/@{XDG_DOCUMENTS_DIR}. Instead, I grant access by creating files in the local directory. Is it enough to empty the files abstractions/user*?

Answered by roddhjav

May 29, 2024

Yes, the concerned profiles are the one using any of abstractions/user-read, abstractions/user-read-strict, abstractions/user-write, abstractions/user-write-strict. Therefore you can edit these abstractions file to disable their effects.

However, some profiles do not use these abstractions (these abs are quite large as you said). The user access is usually directly coded in the profile. For example, see vlc and yacreader:

apparmor.d/apparmor.d/profiles-s-z/vlc

Lines 51 to 54 in adccd00

     owner @{user_music_dirs}/{,**} rw,  
   owner @{user_pictures_dirs}/{,**} rw,  
   owner @{user_torrents_dirs}/{,**} rw,  
   owner @{user_videos_dirs}/{,**} rw,  

 

apparmor.d/apparmor.d/p…

View full answer

roddhjav · 2024-05-29T20:56:14Z

roddhjav
May 29, 2024
Maintainer

Yes, the concerned profiles are the one using any of abstractions/user-read, abstractions/user-read-strict, abstractions/user-write, abstractions/user-write-strict. Therefore you can edit these abstractions file to disable their effects.

However, some profiles do not use these abstractions (these abs are quite large as you said). The user access is usually directly coded in the profile. For example, see vlc and yacreader:

apparmor.d/apparmor.d/profiles-s-z/vlc

Lines 51 to 54 in adccd00

    
           owner @{user_music_dirs}/{,**} rw, 
        
           owner @{user_pictures_dirs}/{,**} rw, 
        
           owner @{user_torrents_dirs}/{,**} rw, 
        
           owner @{user_videos_dirs}/{,**} rw,

apparmor.d/apparmor.d/profiles-s-z/YACReaderLibrary

Lines 32 to 33 in adccd00

    
           owner @{user_books_dirs}/{,**} r, 
        
           owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk,

Finally, some programs (file browsers, search engine) need full access to user data (owner @{HOME}/{,**}. You can easily look for them. They usually are limited thanks to the deny-sensitive-home abstraction. Therefore you can limit what they can see using this abstraction.

2 replies

beroal May 31, 2024
Author

Thank you for your answer. Since some profiles have this access regardless of abstractions/user*, I think that it is more secure to edit tunables/xdg_user_dirs instead of abstractions/user*. Does the following definition

${XDG_DOCUMENTS_DIR}=

make any rule containing ${XDG_DOCUMENTS_DIR} disappear? Because the value is an empty array. If not, then I need to assign an unused directory to these variables.

roddhjav May 31, 2024
Maintainer

That won't work, empty variables are not valid variables. @{XDG_DOCUMENTS_DIR}="" would work but it would do the opposite of your objective. With an empty XDG_DOCUMENTS_DIR, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} rw, is the same than owner @{HOME}/{,**} rw,

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to disable access to document directories? #339

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

	owner @{user_music_dirs}/{,**} rw,
	owner @{user_pictures_dirs}/{,**} rw,
	owner @{user_torrents_dirs}/{,**} rw,
	owner @{user_videos_dirs}/{,**} rw,

How to disable access to document directories? #339

beroal May 29, 2024

Replies: 1 comment · 2 replies

roddhjav May 29, 2024 Maintainer

beroal May 31, 2024 Author

roddhjav May 31, 2024 Maintainer

beroal
May 29, 2024

Replies: 1 comment 2 replies

roddhjav
May 29, 2024
Maintainer

beroal May 31, 2024
Author

roddhjav May 31, 2024
Maintainer