[apparmor] Default policy issue
Christian Boltz
apparmor at cboltz.de
Mon Oct 24 20:23:22 UTC 2016
Hello,
Am Montag, 24. Oktober 2016, 14:11:49 CEST schrieb Pierre Zurek:
> What I don't understand is that the profile seems to have a default
> allow policy although I thought deny was the default policy in
> AppArmor. Indeed, the /bin/busybox sh call gets correctly denied
> because of the explicit "audit deny /bin/* lrwxk" rule, however the
> "/sbin/busybox sh" call is successful.
>
> Could you explain to me why the default policy is allow instead of
> deny and how can I change this ?
Your profile contains
file,
which allows all file access (including exec in ix mode).
Remove that rule and add specific file rules for what you actually need.
Also, you have other rules that allow everything in that area:
signal, # all signals
mount, # mounting anything anywhere
network, # full network access
Also, your capability list is quite broad. Are you sure you really need
all of them?
Regards,
Christian Boltz
--
SYNOPSIS
glimpse - [almost all letters] pattern
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161024/ee121215/attachment.pgp>
More information about the AppArmor
mailing list