[apparmor] Denying a sub-tree to unconfined processes?
Seth Arnold
seth.arnold at gmail.com
Mon Dec 5 22:51:47 UTC 2011
On Fri, Dec 2, 2011 at 3:35 PM, Rob Meijer <pibara at gmail.com> wrote:
> Progress on MinorFs2 is proceding slowly, but there is progress,
> design is basically ready and I've started on re-implementing the
> first file-system in Python.
Superb! I'm glad to hear you're making progress.
> If AppArmor could be configured such that it could deny access to
> anything under the cap_fs mount-point to all unconfined processes.
> Does this make sense? And if so, would you consider this as a feature
> request for future versions of AppArmor, or does such a feature
> actually already exist?
I have long wanted (or, rather, I _think_ I want) the ability to deny
network access to all unconfined programs. I don't trust the network, and
would like to force _all_ network access to go through confined programs.
I must admit that I've never tried a /** catch-all profile to deny network
access but something about that approach doesn't feel the same as saying
"I want these specific resources to be accessed via confined programs
only".
More information about the AppArmor
mailing list