Skip to main content

AppArmor config for Yandex.Disk

I've been using Yandex.Disk for quite a while for data synchronization and file sharing because of its simplicity - a standard WebDAV implementation (+ extensions for file sharing, all documented, although in Russian) allowing for different clients to be used, a nice web UI and they have introduced a Linux client recently which marries WebDAV and XMPP which is used for OOB notifications.

Being a bit cautious I decided to run it on my system but restrict access to everything else, so I wrote the following apparmor config and now it is only allowed to touch the files within ~/Yandex.Disk directory and it's configuration, put it to /etc/apparmor.d/usr.bin.yandex-disk:

usr.bin.yandex-disk (Source)

# vim:syntax=apparmor
# Author: Roman Yepishev <roman.yepishev@yandex.com>
#include <tunables/global>

/usr/bin/yandex-disk {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>

    owner @{HOME}/.config/yandex-disk/ rw,
    owner @{HOME}/.config/yandex-disk/** rw,

# yandex-disk can add itself to autostart configuration
    owner @{HOME}/.config/autostart/Yandex.Disk.desktop rw,

# default sync location
    owner @{HOME}/Yandex.Disk/ rw,
    owner @{HOME}/Yandex.Disk/** rw,

# or change the location like this:
#   owner @{HOME}/OtherFolder/ rw,
#   owner @{HOME}/OtherFolder/** rw,

    /usr/bin/yandex-disk ixr,

    /bin/dash ixr,
}

Yandex.Disk supports symlinks, so if symlinks to other locations are used, these all should be described in the configuration file. Otherwise, the access checks will fail and you will get this in kernel log:

[77109.846335] type=1400 audit(1386173505.778:116): apparmor="DENIED" ↩
operation="open" parent=2000 profile="/usr/bin/yandex-disk" ↩
name="/home/rye/_wine.tar.gz" pid=2869 comm="yandex-disk" ↩
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

P.S. Yeah, I've stopped using Ubuntu One for the time being.