If you write a profile for your pycharm.sh file and then give "ix" execute
permissions to the java executable, the JVM spawned from pycharm.sh will
inherit pycharm.sh's profile.
You can add "deny" rules to prevent access to those files by those names. (If
they are bind-mounted or hardlinked into pathnames that _are_ allowed, access
will be granted if requested under those different names.)
You may also wish to deny writes to AppArmor policies, kernel modules, kernels,
and early startup programs, to reduce the chances the program can subvert
AppArmor controls. (Though if pycharm.sh runs as a user, the standard Unix
permissions should already do this.)
It could look something like:
/path/to/pycharm.sh {
/** rwmixlk,
deny /home/foo/Documents/ rw,
deny /home/foo/Documents/** rwmxlk,
}
I'm less certain of the "x" on the deny line; check the apparmor.d(5) manpage
for details. Also look in the /etc/apparmor.d/abstractions/ directory for more
examples of "deny" rules (e.g., to prevent programs such as Firefox from
reading your ~/.ssh/ files...)
I hope this helps
-----Original Message-----
From: Ahmet Emre Alada� <aladage...@gmail.com>
Sender: apparmor-boun...@lists.ubuntu.com
Date: Sun, 26 Aug 2012 18:52:05
To: <apparmor@lists.ubuntu.com>
Subject: [apparmor] Allow defaults except for reading a directory
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
