On 24/10/2016 22:23, Christian Boltz wrote:
Hello,
Am Montag, 24. Oktober 2016, 14:11:49 CEST schrieb Pierre Zurek:
What I don't understand is that the profile seems to have a default
allow policy although I thought deny was the default policy in
AppArmor. Indeed, the /bin/busybox sh call gets correctly denied
because of the explicit "audit deny /bin/* lrwxk" rule, however the
"/sbin/busybox sh" call is successful.
Could you explain to me why the default policy is allow instead of
deny and how can I change this ?
Your profile contains
file,
which allows all file access (including exec in ix mode).
Remove that rule and add specific file rules for what you actually need.
Also, you have other rules that allow everything in that area:
signal, # all signals
mount, # mounting anything anywhere
network, # full network access
Also, your capability list is quite broad. Are you sure you really need
all of them?
Regards,
Christian Boltz
Hello,
Thanks a lot for your answer it works now !
The capability list is based on
https://github.com/Parrot-Developers/firmwared/blob/master/resources/firmwared.apparmor.profile
and I did not delete all the lines before posting a simpler example here
(but it seems we need quite a lot of them in firmwared).
Pierre
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
