Hi, On 2020-08-06, John Johansen wrote: > apparmor is default deny
I wasn't aware of that part, probably didn't read that part of the documentation well enough to remember in that moment and during my testing this likely didn't work because down the tree of included abstractions On 2020-08-06, Christian Boltz wrote: > do you have any rule in your profile that _allows_ access to the home > directory? this was the case. default-deny does make a lot more sense with regards to a MAC-system indeed. I took an evening cleaning out the abstractions to suit my needs and now things do indeed work like I want them to! And most of the abstractions are now hand-curated, so I actually know what each of them does. Thank you very much for the pointers! I have one question left, when we're at it: If I do have conflicting directives, such as /my/directory r, /my/directory rw, which one takes precedence? the first, the last, the stricter or the broader? In case of nested I'd suspect that AppArmor will just nest the policies accordingly, no matter in which order they occur, right? ~ Jonas On 2020-08-06, Christian Boltz wrote: > You could do some trickery with regexes. Annoying, but still better > than having to deny each and every file separately. Something like >this: > > deny owner @{HOME}/, # deny directory listing of the home directory > deny owner @{HOME}/[^.]**, > deny owner @{HOME}/[^.][^m]**, > deny owner @{HOME}/[^.][^m][^o]**, > deny owner @{HOME}/[^.][^m][^o][^z]**, > deny owner @{HOME}/[^.][^m][^o][^z][^i]**, > deny owner @{HOME}/[^.][^m][^o][^z][^i][^l]**, > deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l]**, > deny owner @{HOME}/[^.][^m][^o][^z][^i][^l][^l][^a]**, I thank you kindly for the proposal, but I think I'll avoid this approach. ;) -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor