[apparmor] Minimal apparmor profile
Kees Cook
kees at ubuntu.com
Fri Dec 9 18:22:07 UTC 2011
Hi Alex,
On Fri, Dec 09, 2011 at 01:11:41PM -0500, Alex Coventry wrote:
> Hi, does anyone have the minimal profile necessary to allow a
> gcc-compiled hello-world program to run on ubuntu?
It seems you've already found this, but I'd start with:
/path/to/hello {
#include <abstractions/base>
}
All that is really needed for hello-world is the loader and libc, though.
> Alternatively, is there a quick way to reload a single profile, without
> restarting apparmor? It would be pretty easy to figure the minimal
> ruleset out by sucessively trimming entries from abstractions/base,
> given that.
sudo apparmor_parser -r /etc/apparmor.d/name.of.profile.file
> Also, is there an apparmor rule allowing the prctl syscall?
prctl() is not mediated by apparmor.
-Kees
--
Kees Cook
More information about the AppArmor
mailing list