Hello, Am Freitag, 7. August 2020, 19:07:41 CEST schrieb Jonas Große Sundrup: > I have one question left, when we're at it: If I do have conflicting > directives, such as > > /my/directory r, > /my/directory rw, > > which one takes precedence? the first, the last, the stricter or the > broader?
They get added up - so in your example, you'll get rw.
As another example,
/foo rwl,
/foo wk,
will effectively give you /foo rwlk,
> In case of nested I'd suspect that AppArmor will just nest the
> policies accordingly, no matter in which order they occur, right?
The rule order doesn't matter.
> On 2020-08-06, Christian Boltz wrote:
> > You could do some trickery with regexes. Annoying, but still better
> > than having to deny each and every file separately. Something like
> >
> >this:
> > deny owner @{HOME}/, # deny directory listing of the home directory
> > deny owner @{HOME}/[^.]**,
> > deny owner @{HOME}/[^.][^m]**,
> > deny owner @{HOME}/[^.][^m][^o]**,
> > deny owner @{HOME}/[^.][^m][^o][^z]**,
Looking at this again, I noticed a bug - it needs to be
deny owner @{HOME}/[^.]**,
deny owner @{HOME}/.[^m]**,
deny owner @{HOME}/.m[^o]**,
deny owner @{HOME}/.mo[^z]**,
> I thank you kindly for the proposal, but I think I'll avoid this
> approach. ;)
Good decision ;-)
Regards,
Christian Boltz
--
<jdstrand> [after 4 bugreports] that should be all of them
<cboltz> well, at least until there's an openSUSE kernel with stacking
available ;-)
<jjohansen> cboltz: no, no, no, see this is why we can't upstream,
cboltz will break everything
[from #apparmor]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
