Currently addons are motivated to save their config files in the /config/addons_config which is globally accessible, because addon’s /data cannot be accessed by the File editor nor SSH which are usually used by addons users to config them.
When all addons can access all others config, then Apparmor is just kind of placebo.
I think addons (ideally including HASS) should have volume mounted only to their subfolder unless they were marked priviledged. So e.g. File editor can be allowed to edit all configs, but others not.
Or better - addons should define volumes they need or ask user to give them access to specific directory. Like Samba NAS addon currently requires priviledged access only to access USB drives. I would like to not give priviledged, but access only to that specific drive.
I’m a bit confused about which folders you’re talking about. Perhaps it’s different for hassos vs supervised. On hassos, addons will have a /data folder that is mapped to /mnt/data/supervisor/addons/data/xxxxxxxx_addoname on the host. Therefore one addon cannot see another addon’s data.
Some addons also have access to /config which is mapped to /mnt/data/supervisor/homeassistant, which is therefore shared between all with this access. I agree that it would be better if addons mapped this to a folder within the current one on the host, although I suspect this is up to each addon implementation. I have 23 addons, but only a handful have access to /config.
But my real concern is that secrets.yaml lives in the same folder.
Issue is with add-ons which want to allow user to easily edit config files by the File editor. This add-on can access only /config, so they need to share it.
So to solve it we need to e.g. mount /config only to privileged addons, or better add separated config to allow access.
Btw, I am concerned about HASS config because attacker (like with add-ons) can config it to open some backdoors. When HASS is compromised it can controll everything else.