On Fri, Dec 2, 2011 at 3:35 PM, Rob Meijer <[email protected]> wrote: > Progress on MinorFs2 is proceding slowly, but there is progress, > design is basically ready and I've started on re-implementing the > first file-system in Python.
Superb! I'm glad to hear you're making progress. > If AppArmor could be configured such that it could deny access to > anything under the cap_fs mount-point to all unconfined processes. > Does this make sense? And if so, would you consider this as a feature > request for future versions of AppArmor, or does such a feature > actually already exist? I have long wanted (or, rather, I _think_ I want) the ability to deny network access to all unconfined programs. I don't trust the network, and would like to force _all_ network access to go through confined programs. I must admit that I've never tried a /** catch-all profile to deny network access but something about that approach doesn't feel the same as saying "I want these specific resources to be accessed via confined programs only". -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
