I want a AppArmor profile which denies a binary access to all files except .so-files/libraries and specific directories which it need access to.
#include
/home/test/rust-api/target/debug/python-executor flags=(complain) {
# deny all outgoing network requests.
deny network inet,
deny network inet6,
deny network tcp,
deny network udp,
#deny writing and executing all files.
deny /** rwkx,
# allow .sp files.
allow /**.so*
# allow files for smem and unixsockets.
allow /home/test/rust-api/tmp/** rwk,
allow /home/test/rust-api/tmp/sockets/** rwk,
#allow reading python scripts in trading_algos.
allow /home/test/rust-api/trading_algos/** r,
}deny /** rwkx to deny all files and later specify what files to allow. But still AppArmor denies access to all files.
Asked by O'Niel
(169 rep)
Feb 12, 2024, 12:57 AM