[apparmor] Apparmor: Profile optimization

John Johansen john.johansen at canonical.com
Mon Apr 26 22:07:12 UTC 2021


On 4/16/21 10:48 AM, Murali Selvaraj wrote:
> Hi All,
> 
> We have observed few configuration files are present in /tmp which are
> needed for certain processes.
> For example, few of the files are hidden files located in /tmp/.
> 
> In that case, shall we add below entry
> 
> /tmp/** rw,
> 

you could add that, it would cover all files in /tmp/

> or Do we need to add entries for file specific as below
> 
> /tmp/file.txt r,
> /tmp/.init_complete rw,
> 
> Which would be the best way for security concern especially for
> embedded devices ?
> Please advise.
> 

>From a security stand point the more specific you can be the better. So if those file names don't change only granting access to those is more secure than the general globbing rule of /tmp/** rw,




More information about the AppArmor mailing list