[apparmor] Apparmor profile as blacklist - default allow
John Johansen
john.johansen at canonical.com
Wed Jun 22 20:03:58 UTC 2016
On 06/22/2016 12:23 AM, Georg Schoenberger wrote:
> On 2016-06-22 08:54, John Johansen wrote:
>> On 06/21/2016 10:47 PM, Georg Schoenberger wrote:
>>> Hi Apparmor Team,
>>>
>>> I am currently working on a profile for PHP-FPM. Unfortunately the
>>> application is quite complicated,
>>> therefore I am thinking about using a blacklist (default allow) in the
>>> profile:
>>> *
>>> http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Allow_.28Black_listing.29
>>>
>>> Any examples on how to do that in the profile?
>>>
>> You allow everything and then use deny rules.
>>
>> profile example {
>> file,
>> network,
>> capability,
>> mount,
>> ptrace,
>> signal,
>> unix,
>> # err what ever else I am missing
>>
>> deny /foo rw,
>> deny capability sys_admin,
>> # ...
>> }
>>
> THX for the quick answer, exactly what I was looking for!
>
> Any further docs on a complete list of operations? (# err what ever else I am missing)
>
The answer is it depends on your version of apparmor. The types of rules
should be covered by apparmor.d. But some of them ones I missed were
change_profile,
dbus,
pivot_root,
umount,
and
rlimit,
though these are weird as they only set the rlimits for the task as the LSM
has no hooks into their enforcemen, and you can't use deny rules with them
new types are added from time to time as well. Eg there are experimental
versions with X, gsettings, etc. rules. which will land at some point when
they are ready.
Newer versions of the parser try hard to keep compatibility, but old
versions will break on rule types that are unknown.
More information about the AppArmor
mailing list