Thank you very much for your answer, # Last Modified: Sun Aug 26 00:00:35 2012 #include <tunables/global>
/home/research/.bin/pycharm-2.5.2/bin/pycharm.sh { /** rwmixlk, /usr/lib/jdk.1.7.0_06/bin/java rix, deny /home/research/Documents/ rw, deny /home/research/Documents/** rwmxlk, } This did not deny the reading to Documents folder. Have I done what you meant correctly here? On Sun, Aug 26, 2012 at 7:09 PM, Seth Arnold <seth.arn...@gmail.com> wrote: > If you write a profile for your pycharm.sh file and then give "ix" execute > permissions to the java executable, the JVM spawned from pycharm.sh will > inherit pycharm.sh's profile. > > You can add "deny" rules to prevent access to those files by those names. > (If they are bind-mounted or hardlinked into pathnames that _are_ allowed, > access will be granted if requested under those different names.) > You may also wish to deny writes to AppArmor policies, kernel modules, > kernels, and early startup programs, to reduce the chances the program can > subvert AppArmor controls. (Though if pycharm.sh runs as a user, the > standard Unix permissions should already do this.) > > It could look something like: > > /path/to/pycharm.sh { > /** rwmixlk, > deny /home/foo/Documents/ rw, > deny /home/foo/Documents/** rwmxlk, > } > > I'm less certain of the "x" on the deny line; check the apparmor.d(5) > manpage for details. Also look in the /etc/apparmor.d/abstractions/ > directory for more examples of "deny" rules (e.g., to prevent programs such > as Firefox from reading your ~/.ssh/ files...) > > I hope this helps > >
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor