Reputation: 2625
How to allow an AppArmor path but deny rest of the subpath
I have an AppArmor profile. I have dir like
/home
/nonroot
/Documents
/Pictures
.
.
.
Now I want to allow only /nonroot path and deny rest of the path in the /home dir. How can I do that? Note that I have to make it generic as I don't know how many sub-dirs I may have inside the /home.
Upvotes: 0
Views: 1315
Answers (2)
Reputation: 1
You may want to write these rules:
# deny anything with a name shorter than 7 chars
deny /home/?{,/} wl,
deny /home/??{,/} wl,
deny /home/???{,/} wl,
deny /home/????{,/} wl,
deny /home/?????{,/} wl,
deny /home/??????{,/} wl,
# deny anything with a name of 7 chars different to 'nonroot'
deny /home/[^n]??????{,/} wl,
deny /home/?[^o]?????{,/} wl,
deny /home/??[^n]????{,/} wl,
deny /home/???[^r]???{,/} wl,
deny /home/????[^o]??{,/} wl,
deny /home/?????[^o]?{,/} wl,
deny /home/??????[^t]{,/} wl,
# deny anything with a name longer than 7 chars
deny /home/????????*{,/} wl,
Upvotes: 0
Reputation: 1076
What you want is in fact the normal behavior of AppArmor. That is, /home/nonroot/file.txt r, allows reading just that file and nothing else. If you don't give permission to read Documents, Pictures, etc, then the program cannot access those.
(This is as long as you are actually enforcing the profile. Profiles can be disabled or put into complain or audit mode, which perhaps could confuse someone about how their rules are working)
Upvotes: 0
Related Questions
- FastAPI restrict valid path names at run time
- Apache - How to deny directory but allow one file in that directory
- How to whitelist only subpath of a secured path in Spring?
- How to EXCLUDE a directory from a pathPatttern
- Deny access to specific directory in nodejs express
- AEM - How to restrict a template from showing in a certain path
- Block a URL path on Google Appengine
- Is there any way to tell Flask to ignore a path?
- How do I ignore a specific path?
- Deny access to specific folder on azure