[apparmor] Apparmor profile as blacklist - default allow
Georg Schoenberger
g.schoenberger at xortex.com
Wed Jun 22 07:23:27 UTC 2016
On 2016-06-22 08:54, John Johansen wrote:
> On 06/21/2016 10:47 PM, Georg Schoenberger wrote:
>> Hi Apparmor Team,
>>
>> I am currently working on a profile for PHP-FPM. Unfortunately the
>> application is quite complicated,
>> therefore I am thinking about using a blacklist (default allow) in the
>> profile:
>> *
>> http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Allow_.28Black_listing.29
>>
>> Any examples on how to do that in the profile?
>>
> You allow everything and then use deny rules.
>
> profile example {
> file,
> network,
> capability,
> mount,
> ptrace,
> signal,
> unix,
> # err what ever else I am missing
>
> deny /foo rw,
> deny capability sys_admin,
> # ...
> }
>
THX for the quick answer, exactly what I was looking for!
Any further docs on a complete list of operations? (# err what ever else I am missing)
Regards, Georg
More information about the AppArmor
mailing list