Hello, Am Montag, 24. Oktober 2016, 14:11:49 CEST schrieb Pierre Zurek: > What I don't understand is that the profile seems to have a default > allow policy although I thought deny was the default policy in > AppArmor. Indeed, the /bin/busybox sh call gets correctly denied > because of the explicit "audit deny /bin/* lrwxk" rule, however the > "/sbin/busybox sh" call is successful. > > Could you explain to me why the default policy is allow instead of > deny and how can I change this ?
Your profile contains
file,
which allows all file access (including exec in ix mode).
Remove that rule and add specific file rules for what you actually need.
Also, you have other rules that allow everything in that area:
signal, # all signals
mount, # mounting anything anywhere
network, # full network access
Also, your capability list is quite broad. Are you sure you really need
all of them?
Regards,
Christian Boltz
--
SYNOPSIS
glimpse - [almost all letters] pattern
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
