[suse-security] Deny access to file for all applications with apparmor?
Hi, I was recently going through the manuals of apparmor. As far as I could understand you can create profiles for specific executables. I was wondering, however, is it possible to create a 'generic' profile that should be applied to ANY process started. Or, what I really want to accomplish, how can I deny access to specific file for ALL processes, except, let's say one or two? If I understand the concept right, this can't be done, but let me know if I am wrong, please! -- Blade hails you... Toll no bell for me father But let this suffering pass from me Send me no shepherd to heal my world But the Angel - the dream foretold --Nightwish
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-09-30 at 11:44 +0300, Boyan Tabakov wrote:
Or, what I really want to accomplish, how can I deny access to specific file for ALL processes, except, let's say one or two? If I understand the concept right, this can't be done, but let me know if I am wrong, please!
The file could belong to a certain user, and only he could open it. The processes in question could be run by that user (or be suid to that user). Perhaps a better alternative would be acl.M S6 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFHv4HtTMYHG2NR9URAsD0AJ9gKO5nSOxbA4iEMBGaCrzlEw4vXwCfaFxT TFpDa94R7T6Cv1FusJYXQYU= =imXE -----END PGP SIGNATURE-----
On 1.10.2006 02:30, Carlos E. R. wrote:
The Saturday 2006-09-30 at 11:44 +0300, Boyan Tabakov wrote:
Or, what I really want to accomplish, how can I deny access to specific file for ALL processes, except, let's say one or two? If I understand the concept right, this can't be done, but let me know if I am wrong, please!
The file could belong to a certain user, and only he could open it. The processes in question could be run by that user (or be suid to that user). Perhaps a better alternative would be acl.M S6
So this is not possible with apparmor? I'll try the way you say. Thanks! -- Blade hails you... Never sigh for better world It's already composed, played and told Every thought the music I write Everything a wish for the night --Nightwish
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-10-01 at 10:15 +0300, Boyan Tabakov wrote:
So this is not possible with apparmor? I'll try the way you say. Thanks!
I can't say that, I'm no AA expert. I only say that it should be possible the other way. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFH6zTtTMYHG2NR9URAi1PAJ92xFGBlPk9xn1Fw1Drrh4y3JqDuACcDhht WoKttAbyGLeT7JT6pW9g0TA= =+Phv -----END PGP SIGNATURE-----
participants (2)
-
Boyan Tabakov -
Carlos E. R.