abstractions/private-files-strict: disallow access to the dirs of private files

Reference: https://launchpad.net/bugs/1794820
2025-08-30 05:47:59 +00:00 · 2018-09-27 11:42:03 -05:00 · 2018-09-27 11:42:03 -05:00 · 25aad109e1
commit 25aad109e1
parent 859a16310b
1 changed files with 12 additions and 12 deletions
--- a/profiles/apparmor.d/abstractions/private-files-strict
+++ b/profiles/apparmor.d/abstractions/private-files-strict
@ -5,17 +5,17 @@
  #include <abstractions/private-files>

  # potentially extremely sensitive files
-  audit deny @{HOME}/.gnupg/** mrwkl,
-  audit deny @{HOME}/.ssh/** mrwkl,
-  audit deny @{HOME}/.gnome2_private/** mrwkl,
-  audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
+  audit deny @{HOME}/.gnupg/{,**} mrwkl,
+  audit deny @{HOME}/.ssh/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
+  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
  # don't allow access to any gnome-keyring modules
-  audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl,
-  audit deny @{HOME}/.mozilla/** mrwkl,
-  audit deny @{HOME}/.config/chromium/** mrwkl,
-  audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
-  audit deny @{HOME}/.evolution/** mrwkl,
-  audit deny @{HOME}/.config/evolution/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl,
-  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl,
+  audit deny /{,var/}run/user/[0-9]*/keyring*{,/,/**} mrwkl,
+  audit deny @{HOME}/.mozilla/{,**} mrwkl,
+  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
+  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl,
+  audit deny @{HOME}/.evolution/{,**} mrwkl,
+  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
+  audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,