Hi,
On 2020-08-06, John Johansen wrote:
> apparmor is default deny
I wasn't aware of that part, probably didn't read that part of the
documentation well enough to remember in that moment and during my
testing this likely didn't work because down the tree of included
abstractions
On 2020-08-06, Christian Boltz wrote:
> do you have any rule in your profile that _allows_ access to the home
> directory?
this was the case. default-deny does make a lot more sense with regards
to a MAC-system indeed.
I took an evening cleaning out the abstractions to suit my needs and
now things do indeed work like I want them to! And most of the
abstractions are now hand-curated, so I actually know what each of them
does.
Thank you very much for the pointers!
I have one question left, when we're at it: If I do have conflicting
directives, such as
/my/directory r,
/my/directory rw,
which one takes precedence? the first, the last, the stricter or the
broader?
In case of nested I'd suspect that AppArmor will just nest the policies
accordingly, no matter in which order they occur, right?
~ Jonas
On 2020-08-06, Christian Boltz wrote:
> You could do some trickery with regexes. Annoying, but still better
> than having to deny each and every file separately. Something like
>this:
>
> deny owner @{HOME}/, # deny directory listing of the home directory
> deny owner @{HOME}/[^.]**,
> deny owner @{HOME}/[^.][^m]**,
> deny owner @{HOME}/[^.][^m][^o]**,
> deny owner @{HOME}/[^.][^m][^o][^z]**,
> deny owner @{HOME}/[^.][^m][^o][^z][^i]**,
> deny owner @{HOME}/[^.][^m][^o][^z][^i][^l]**,
> deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l]**,
> deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l][^a]**,
I thank you kindly for the proposal, but I think I'll avoid this
approach. ;)
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
