[apparmor] Allow defaults except for reading a directory
Hi, 1) Is it possible to allow default access for a program but deny only a single directory like /home/user/Documents? 2) I'd like to restrict PyCharm which is a java program runned by pycharm.sh file with content: ... MAIN_CLASS_NAME=com.intellij.idea.Main eval $JDK/bin/java $ALL_JVM_ARGS -Djb.restart.code=88 $MAIN_CLASS_NAME $* When it's run, ps x gives the following result: 20971 pts/3Sl+0:27 /usr/lib/jdk.1.7.0_06/bin/java -Xms128m -Xmx800m -XX:MaxPermSize=350m -XX:ReservedCodeCacheSize=64m -ea -Djb.vmOptionsFile=./pycharm64.vmoptions -Xb Can I restrict speficially this process but not the whole java? Thanks, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Allow defaults except for reading a directory
Now I found the problem. When I use sh pycharm.sh, it doesn't work When I use ./pycharm.sh, it works! Access denied. Thank you very very much, it was very kind of you. On Sun, Aug 26, 2012 at 7:46 PM, Seth Arnold seth.arn...@gmail.com wrote: ** Could you include the relevant AppArmor lines from your /var/log/audit/audit.log or /var/log/messages files? -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Allow defaults except for reading a directory
On Sun, Aug 26, 2012 at 12:01:41PM -0500, Ian Nicholson wrote: On 08/26/2012 11:58 AM, Ahmet Emre Aladağ wrote: Now I found the problem. When I use sh pycharm.sh, it doesn't work When I use ./pycharm.sh, it works! Access denied. Thank you very very much, it was very kind of you. I ran into this myself yesterday, except with a python file. I assume it's because running python filename.py causes apparmor to apply the profile for the python interpreter, whereas running ./filename.py will cause apparmor to use the profile that I've created for the actual script. Can anyone tell me if that's right? That's correct. It's a matter of what the kernel thinks is executing. The first is running the interpreter with an argument (the script) and the latter is running the script, which has a given interpreter. -Kees -- Kees Cook@outflux.net -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] funny aa-exec behaviour
Hello, # aa-exec # I'd expect an error message about missing parameters in this case... Regards, Christian Boltz -- In case someone reads this and does not understand irony: this is not a valid solution for something you want to submit to openSUSE:Factory OF course Im aware that such subversive hack will not be accepted there, Im just exploring the endless possibilities of evil ;-) [ Stephan Kulow and Cristian Rodríguez in opensuse-packaging] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor