On 06/21/2016 10:47 PM, Georg Schoenberger wrote:
> Hi Apparmor Team,
>
> I am currently working on a profile for PHP-FPM. Unfortunately the
> application is quite complicated,
> therefore I am thinking about using a blacklist (default allow) in the
> profile:
> *
> http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Allow_.28Black_listing.29
>
> Any examples on how to do that in the profile?
>
You allow everything and then use deny rules.
profile example {
file,
network,
capability,
mount,
ptrace,
signal,
unix,
# err what ever else I am missing
deny /foo rw,
deny capability sys_admin,
# ...
}
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
