If you write a profile for your pycharm.sh file and then give "ix" execute permissions to the java executable, the JVM spawned from pycharm.sh will inherit pycharm.sh's profile.
You can add "deny" rules to prevent access to those files by those names. (If they are bind-mounted or hardlinked into pathnames that _are_ allowed, access will be granted if requested under those different names.) You may also wish to deny writes to AppArmor policies, kernel modules, kernels, and early startup programs, to reduce the chances the program can subvert AppArmor controls. (Though if pycharm.sh runs as a user, the standard Unix permissions should already do this.) It could look something like: /path/to/pycharm.sh { /** rwmixlk, deny /home/foo/Documents/ rw, deny /home/foo/Documents/** rwmxlk, } I'm less certain of the "x" on the deny line; check the apparmor.d(5) manpage for details. Also look in the /etc/apparmor.d/abstractions/ directory for more examples of "deny" rules (e.g., to prevent programs such as Firefox from reading your ~/.ssh/ files...) I hope this helps -----Original Message----- From: Ahmet Emre Alada <aladage...@gmail.com> Sender: apparmor-boun...@lists.ubuntu.com Date: Sun, 26 Aug 2012 18:52:05 To: <apparmor@lists.ubuntu.com> Subject: [apparmor] Allow defaults except for reading a directory -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor