[apparmor] Priority of two matching profiles
engelflorian at posteo.de
engelflorian at posteo.de
Sat Mar 8 13:03:48 UTC 2025
Hi,
What is the priority if two profiles match. E.g. /usr/bin/cat matches on
profiles /usr/bin/c* and /usr/bin/ca*. What profile is it using?
I use Nixos and have generate profiles for all programs which are
installed by my configuration. I then want to add a default profile
which is only used if no other profile matches.
I don't think I can do that wit profile inheritence, because if i switch
from the default profile it always switches to the systemd profile. If i
add inheritence to the systemd profile it selects the default profile
and not the more specific ones
I tried it with a config like this
```
profile /nix/store/***-systemd/** flags=(attach_disconnected) {
# allow everything
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
file,
}
...
profile default /** flags=(attach_disconnected) {
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
file,
# Deny some sensitive files
deny /home/florian/.ssh/{,**} mrwlk,
}
```
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20250308/511ee310/attachment.sig>
More information about the AppArmor
mailing list