You are not logged in.
- Topics: Active | Unanswered
#1 2019-09-14 14:12:21
- vlmrgn
- Member
- Registered: 2019-09-11
- Posts: 3
Apparmor disable network for all applications except some
Hi,
I am running arch with kernel 5.2. I have enabled enabled my AppArmor, and it works perfectly fine.
Whenever I want to disable internet usage for an application, I put it to complain mode first, then I add following configuration, and it disables network for that app successfully:
#include <tunables/global>
/usr/bin/myapp=(complain) {
#include <abstractions/base>
deny network inet,
deny network inet,
deny network raw,
...
}How can I disable network for all application with one configuration, then enable just for some apps that i pick?
Offline
#2 2019-09-19 13:24:33
- PatriArch
- Member
- Registered: 2019-09-18
- Posts: 3
Re: Apparmor disable network for all applications except some
Hi vlmrgn,
I'm only able to answer theoretically but it seems possible stacking profiles with globbed path definitions like:
profile homes /home/** {...
profile everywhere /** {...Hoping it can be a start for your investigations.
BTW, I'm interested in doing the same setup than yours but failed to makes the network rules to work on my Arch. I've opened an independent topic to track this issue. For instance, did you run the stock arch kernel(+parameters?) or did you compile it on your own after patching it?
Thanks
Offline