On 06/22/2016 12:23 AM, Georg Schoenberger wrote: > On 2016-06-22 08:54, John Johansen wrote: >> On 06/21/2016 10:47 PM, Georg Schoenberger wrote: >>> Hi Apparmor Team, >>> >>> I am currently working on a profile for PHP-FPM. Unfortunately the >>> application is quite complicated, >>> therefore I am thinking about using a blacklist (default allow) in the >>> profile: >>> * >>> http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Allow_.28Black_listing.29 >>> >>> Any examples on how to do that in the profile? >>> >> You allow everything and then use deny rules. >> >> profile example { >> file, >> network, >> capability, >> mount, >> ptrace, >> signal, >> unix, >> # err what ever else I am missing >> >> deny /foo rw, >> deny capability sys_admin, >> # ... >> } >> > THX for the quick answer, exactly what I was looking for! > > Any further docs on a complete list of operations? (# err what ever else I am > missing) > The answer is it depends on your version of apparmor. The types of rules should be covered by apparmor.d. But some of them ones I missed were
change_profile, dbus, pivot_root, umount, and rlimit, though these are weird as they only set the rlimits for the task as the LSM has no hooks into their enforcemen, and you can't use deny rules with them new types are added from time to time as well. Eg there are experimental versions with X, gsettings, etc. rules. which will land at some point when they are ready. Newer versions of the parser try hard to keep compatibility, but old versions will break on rule types that are unknown. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
