[apparmor] Allow defaults except for reading a directory
Seth Arnold
seth.arnold at gmail.com
Sun Aug 26 16:09:19 UTC 2012
If you write a profile for your pycharm.sh file and then give "ix" execute permissions to the java executable, the JVM spawned from pycharm.sh will inherit pycharm.sh's profile.
You can add "deny" rules to prevent access to those files by those names. (If they are bind-mounted or hardlinked into pathnames that _are_ allowed, access will be granted if requested under those different names.)
You may also wish to deny writes to AppArmor policies, kernel modules, kernels, and early startup programs, to reduce the chances the program can subvert AppArmor controls. (Though if pycharm.sh runs as a user, the standard Unix permissions should already do this.)
It could look something like:
/path/to/pycharm.sh {
/** rwmixlk,
deny /home/foo/Documents/ rw,
deny /home/foo/Documents/** rwmxlk,
}
I'm less certain of the "x" on the deny line; check the apparmor.d(5) manpage for details. Also look in the /etc/apparmor.d/abstractions/ directory for more examples of "deny" rules (e.g., to prevent programs such as Firefox from reading your ~/.ssh/ files...)
I hope this helps
-----Original Message-----
From: Ahmet Emre Alada� <aladagemre at gmail.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Sun, 26 Aug 2012 18:52:05
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] Allow defaults except for reading a directory
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list