[ubuntu-hardened] [apparmor] AppArmor profile: requested_mask and denied_mask = "c", "x".
daniel curtis
sidetripping at gmail.com
Sat Dec 19 18:20:42 UTC 2015
Hi Christian,
So, if "c" means create file/directory then if AppArmor audit
entries (for example from log files etc.) contains something like
this:
operation="mkdir", requested_mask="c", denied_mask="c"
Then, rule in an AppArmor application profile should look like:
/home/user/.app/ w,
Am I right? That should be enough? You wrote: for file 'a' (append)
permission might be enough, right? So, instead of 'w' (see above)
I should use 'a'? Of course if 'operation' will be responsible for
file creation.
>> That means executing another binary.
>> Depending on what gets executed, you can choose (...)
You've asked about what gets executed. Let say, that it is, for
example:
operation="exec", requested_mask="x", denied_mask="x"
It concerns /usr/bin/pulseaudio and /usr/lib/firefox/plugin-container.
So, which permission should be okay in this example: 'ix', 'Cx'?
Or maybe another one? Sorry for such naive question, but... I
want to create a secure profile.
Thank You very much for an informations about 'aa-logprof' and
man for 'apparmor.d'. (I checked it already, but I will do it one
more time). Definitely, I will check "AppArmor Crash Course"
and slides at blog.cboltz.de etc.
Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20151219/3912a7a4/attachment.html>
More information about the ubuntu-hardened
mailing list