Apparmor - how to 'allow everything' rule, then tighten up?

This is not the right approach.

In general, blacklisting is a poor basis for a security policy - it should be based on whitelisting - and the syntax of AppArmor is predicated on this. To that end, you should start with no specifics in the profile, but set the profile action to complain instead of enforce. You can set this in the profile (flags=(complain)) or using the aa-complain command. Then the specific directives to permit an operation become redundant.

I believe the authoritative documentation is that published by SuSE. But, briefly, for file access the config format is:

<object> <permissions>,

Note that the globbing in object (if its a path) is slightly different from what you may be familiar with at the command line. There's more dbus specific stuff here.


But is the allow *, a correct syntax for 'allow everything'

Correct syntax for allow everything looks like:

profile DAC /path/to/exec {
  # Allow all rules
  capability,
  network,
  mount,
  remount,
  umount,
  pivot_root,
  ptrace,
  signal,
  dbus,
  unix,
  file,
}

Actually, there are two rules more:

  1. rlimit (AppArmor can set and control the resource limits associated with a profile)
  2. change_profile (control which permissions for which profiles a confined task can transition to)

But its no meaning in this particular case.

Tags:

Linux

Apparmor