[apparmor] Default policy issue
Pierre Zurek
pierre.zurek at parrot.com
Tue Oct 25 16:52:16 UTC 2016
On 24/10/2016 22:23, Christian Boltz wrote:
> Hello,
>
> Am Montag, 24. Oktober 2016, 14:11:49 CEST schrieb Pierre Zurek:
>> What I don't understand is that the profile seems to have a default
>> allow policy although I thought deny was the default policy in
>> AppArmor. Indeed, the /bin/busybox sh call gets correctly denied
>> because of the explicit "audit deny /bin/* lrwxk" rule, however the
>> "/sbin/busybox sh" call is successful.
>>
>> Could you explain to me why the default policy is allow instead of
>> deny and how can I change this ?
> Your profile contains
> file,
> which allows all file access (including exec in ix mode).
>
> Remove that rule and add specific file rules for what you actually need.
>
>
> Also, you have other rules that allow everything in that area:
> signal, # all signals
> mount, # mounting anything anywhere
> network, # full network access
>
> Also, your capability list is quite broad. Are you sure you really need
> all of them?
>
>
> Regards,
>
> Christian Boltz
Hello,
Thanks a lot for your answer it works now !
The capability list is based on
https://github.com/Parrot-Developers/firmwared/blob/master/resources/firmwared.apparmor.profile
and I did not delete all the lines before posting a simpler example here
(but it seems we need quite a lot of them in firmwared).
Pierre
More information about the AppArmor
mailing list