[apparmor] Default deny access to the directory

Seth Arnold seth.arnold at canonical.com
Fri Jan 16 03:39:48 UTC 2015


On Thu, Jan 15, 2015 at 08:23:22PM +0200, Dmitry Kasatkin wrote:
> I am running stock Ubuntu 14.10 and there I would like to create a policy
> which allows program '/sbin/appd' to access directory '/etc/appd/', but
> forbid for any other program having profile or not.
> 
> Is there anyway to specify "default" policy which denies access to
> /etc/food?

You can achieve something like this using AppArmor with some work:
http://wiki.apparmor.net/index.php/FullSystemPolicy

The gist is that you'd create a profile suitable for your 'init' process,
create profiles suitable for "everything else", the other profiles on your
system, and a profile for /sbin/appd.

None of the profiles would have /etc/appd/ permissions except the
/sbin/appd profile.

Every process on your system would then run confined in a profile; at
least one profile would probably need to be quite permissive -- nearly
everything would run under that profile.

I haven't yet tried this for myself; I expect it's a fair amount of work
to get it just right.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150115/400a8dac/attachment.pgp>


More information about the AppArmor mailing list