[apparmor] deny and selectively allow in AppArmor?

[Jonas Große Sundrup]

Hi,

I'm currently playing around with AppArmor to confine some of my daily
software a bit, and it looks pretty promising.

However, there is one thing I'd like to achieve but haven't so far:

I would like to generally disallow acces to the owner's home-directory,
but then selectively allow certain paths in it, for example firefox may
rmwx ~/.mozilla and subfiles/folders and write things into my
downloads-folder, but should not have
access to anything else.

So I'd like to do something like

    deny owner @{HOME},
    owner @{HOME}/.mozilla rwmx,
    # ... other selective whitelistings

Unfortunately, this doesn't work, because (if I remember
the documentation correctly) deny-directives are subtracted from the
allowed set after everything else was applied, so the deny-directive
above would effectively overwrite the allow-directive.

A solution is to explicitly list any paths besides ~/.mozilla for deny,
but that is quite cumbersome and error-prone if one would like to
achieve a tight security net as well as creating a very extensive
profile directory, as every file and directory not allowed has to be
listed explicitly.

The other idea I had of instead of specifying deny-directives
specifying positive directions also fails as I have to provide at least
one mode, so either rwm or x would be allowed, which is also not what I
want to achieve.

I have tried doing it with regexes, but that hasn't been successful
either, but it might be that I got the syntax wrong.

So is there any way how to solve this in apparmor?


Thank you very much,
Jonas