[apparmor] Understanding child profiles and file_inherit
Vincas Dargis
vindrg at gmail.com
Sun Nov 5 16:02:55 UTC 2017
On 2017.11.05 13:10, intrigeri wrote:
>> Is it possible to deny all of these file_inherit somehow?
>
> Probably, with a wide deny rule such as (/**).
It it possible to select file_inherit only? I mean, this will not allow even mmap executable itself, and it would deny
all these file rules in <abstraction/base>, wouldn't it?
In this case:
```
/{,usr}/bin/locale Cx -> locale,
profile locale {
#include <abstractions/base> # has to work
/{,usr}/bin/locale mr, # has to work
deny /* something something ? What could I write here? Is there deny file_inherit /** ? */
}
```
More information about the AppArmor
mailing list