You are not logged in.
- Topics: Active | Unanswered
#1 2025-05-23 14:59:06
- dab9966
- Member
- Registered: 2023-12-05
- Posts: 44
Can we whitelist a directory in Linux?
More of a general question in Linux space.
I have been using AppArmor for a while now. One disadvantage I see, it needs to be updated for each application, which means another application can be installed and then bypass everything that was setup if you forget to update apparmor profiles again.
There is one sensitive directory on my Linux machine that I already encrypt as it contains all my personal documents, banking information and so on. I already setup librewolf and few other apps to prevent them from accessing it via apparmor, but any other app is still capable of just extracting the data while its decrypted. For example, basic commands like cp (copy), rsync, mv, cat, more, terminal/GUI apps and everything else still have access to this directory.
I understand AppArmor was built with per-application profile enforcement. However, in this instance I would find something very valuable that would allow me to define deny-all by default for directory, but also to allow whitelisting specific application such as cat to display content.
Does anything like this exist?
We could do something similar by having individual users specifically for sensitive content, but this question is more about restricting app access.
Offline
#2 2025-05-24 15:42:49
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,308
Re: Can we whitelist a directory in Linux?
Have you considered using selinux ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Online
#3 2025-05-25 00:12:49
- Succulent of your garden
- Member
- From: Majestic kingdom of pot plants
- Registered: 2024-02-29
- Posts: 855
Re: Can we whitelist a directory in Linux?
I also think that SELinux could solve your issue. If I'm not wrong, it does have a mode where you can log everything but selinux is learning what system calls are you using for each program, after a time you can use the enforce mode to apply the config made by your daliy use + selinux, and see it and change the settings if you don't like it. Not sure how to do it in app armor to be honest, but maybe it is possible.
Another thing you can do is using Linux Capabilities and seccomp. Most of the time you use apparmor/selinux + seccomp + capabilities + linux ACL for seccurity stuff related to computer configuration. So maybe you can setup that your core utils doesn't have internet access by creating limitations with capabilities + seccomp. Seccomp allows you to define which sys calls are allowed, but maybe you will need that your core utils have the ability to read files, which maybe you don't want to have. But if you limit the internet access, maybe that's an improvement for you. But not sure how to make exceptions for your browsers, since If I'm not wrong, the browsers does make use of some core utils.
But if you want to have a the best secure system and don't care about getting tracked by device fingerprint and some hours of configuration, maybe you should try open BSD.
Last edited by Succulent of your garden (2025-05-25 00:16:47)
str( @soyg ) == str( @potplant ) btw!
Offline