[apparmor] Apparmor profile as blacklist - default allow
John Johansen
john.johansen at canonical.com
Wed Jun 22 06:54:16 UTC 2016
On 06/21/2016 10:47 PM, Georg Schoenberger wrote:
> Hi Apparmor Team,
>
> I am currently working on a profile for PHP-FPM. Unfortunately the
> application is quite complicated,
> therefore I am thinking about using a blacklist (default allow) in the
> profile:
> *
> http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Allow_.28Black_listing.29
>
> Any examples on how to do that in the profile?
>
You allow everything and then use deny rules.
profile example {
file,
network,
capability,
mount,
ptrace,
signal,
unix,
# err what ever else I am missing
deny /foo rw,
deny capability sys_admin,
# ...
}
More information about the AppArmor
mailing list