Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Syntax for whitelisting approach #16

Open
sd65 opened this issue Jan 18, 2018 · 0 comments
Open

Proposal: Syntax for whitelisting approach #16

sd65 opened this issue Jan 18, 2018 · 0 comments
Labels
enhancement question

Comments

@sd65
Copy link

sd65 commented Jan 18, 2018

Hi,

First, thanks for this tool.
Now, I'm trying to lock my containers as much as possible. Those are very simple and I would like to do something like:

...

[Filesystem]
ReadOnlyPaths = [
	"/**"
]

LogOnWritePaths = [
	"/**"
]

WritablePaths = [
	"/dev/shm/nginx.pid"
]

AllowExec = [
	"/usr/sbin/nginx"
]

# denied executable files
DenyExec = [
	"/**"
]

...

But this does not work. I know the AppArmor syntax make this approach hard, but to you think it will be possible to implement this approach?
Maybe use those kind of strange rules/regex in AppArmor: /dev/{?,??,[^s][^h][^m]**}?

What do you think?
@jessfraz jessfraz changed the title Whitelisting approach Proposal: Syntax for whitelisting approach Jun 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jessfraz @sd65