Reputation: 499
AppArmor deny all except one path
In AppArmor for docker on Ubuntu, I have a directory /var/www that contains a bunch of virtual hosts' files. I want to deny all paths except one, so that each virtual host only sees their own files. I've tried so many things like:
deny /var/www/{**^,vhost1}/ rw,
Notice that I have a comma after **^ - I think this is because the {**^} syntax is not actually supported yet. Does anyone know when that will be supported or how to get around this problem?
Judging from:
http://wiki.apparmor.net/index.php/QuickProfileLanguage
It still seems to be a "proposed feature".
uname -a Linux testerserver 4.4.0-75-generic #96-Ubuntu SMP Thu Apr 20 09:56:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Upvotes: 5
Views: 1267
Answers (1)
Reputation: 2497
you can do it like this:
deny /var/www/[^vhost1]* rw,
found the answer on https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference#examples-using-globbing-to-match-files
Upvotes: 3
Related Questions
- Can't apply AppArmor profile on container: "no such file or directory"
- How can I exclude a sub-directory with a .dockerignore file
- Docker container cannot start due to apparmor, why?
- Deny docker container to write host's filesystem
- Add restrictions on docker command
- Limiting access to Docker Hub
- how can I allow access to only one URL from a docker container
- How to restrict access to path in Docker container?
- Restricting access to a Docker container
- Cannot reload or start AppArmor in Docker