Explicitly DENY acces to dotfiles


#1

Currently access to dotfiles under user $HOME is not allowed but it isn’t denied neither which may result with a lot of audit messages being generated.

For example, when using chromium, opening file dialog (i.e. to import bookmarks) and selecting $HOME dir causes DENIED audit messages for almost every dotfile.

This is especially annoying when aa-notify is running on system as it causes the whole screen being filled with notifications. Even without aa-notify, the audit log is less usable with so much noise inside.

Originally reported in: Call for testing: chromium based on core18


Call for testing: chromium based on core18
#2

Explicit denies would silence the denials, yes, but deny rules are evaluated after allow rules such that you cannot undo a deny rule with an allow rule. This means that with what you propose, if the snap used, say, the gpg-public-keys interface, then even though the interface was connected, access to the ~/.gnupg directory would be denied.

What we really need is a ‘quiet’ rule that doesn’t affect access, only logging, but it isn’t available just yet (it is on the roadmap). In addition to the ‘quiet’ rule, there will also be the ability to quiet at the profile level. This allows the possibility for snapd to silence certain or all policy violations (eg, based on admin configuration).


#3

You’re right. Perhaps this can be worked around with some complicated rule which will deny everything except known parts of snap interfaces. It may be too complicated though.