[apparmor] Allow defaults except for reading a directory

Ahmet Emre Aladağ aladagemre at gmail.com
Sun Aug 26 16:27:08 UTC 2012


Thank you very much for your answer,

# Last Modified: Sun Aug 26 00:00:35 2012
#include <tunables/global>

/home/research/.bin/pycharm-2.5.2/bin/pycharm.sh {
  /** rwmixlk,
  /usr/lib/jdk.1.7.0_06/bin/java rix,
  deny /home/research/Documents/ rw,
  deny /home/research/Documents/** rwmxlk,
}

This did not deny the reading to Documents folder. Have I done what you
meant correctly here?


On Sun, Aug 26, 2012 at 7:09 PM, Seth Arnold <seth.arnold at gmail.com> wrote:

> If you write a profile for your pycharm.sh file and then give "ix" execute
> permissions to the java executable, the JVM spawned from pycharm.sh will
> inherit pycharm.sh's profile.
>
> You can add "deny" rules to prevent access to those files by those names.
> (If they are bind-mounted or hardlinked into pathnames that _are_ allowed,
> access will be granted if requested under those different names.)
> You may also wish to deny writes to AppArmor policies, kernel modules,
> kernels, and early startup programs, to reduce the chances the program can
> subvert AppArmor controls. (Though if pycharm.sh runs as a user, the
> standard Unix permissions should already do this.)
>
> It could look something like:
>
> /path/to/pycharm.sh {
>   /** rwmixlk,
>   deny /home/foo/Documents/ rw,
>   deny /home/foo/Documents/** rwmxlk,
> }
>
> I'm less certain of the "x" on the deny line; check the apparmor.d(5)
> manpage for details. Also look in the /etc/apparmor.d/abstractions/
> directory for more examples of "deny" rules (e.g., to prevent programs such
> as Firefox from reading your ~/.ssh/ files...)
>
> I hope this helps
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120826/347e52f8/attachment.html>


More information about the AppArmor mailing list