It is important to note that AppArmor profiles are specific to applications, and you need to create or modify profiles for each application you want to restrict. Additionally, you should audit existing AppArmor policies to ensure that they do not inadvertently grant access to the restricted directory.
To restrict access to a directory by default system-wide, you would need to create a global deny rule, but this is not the default behavior of AppArmor. By default, AppArmor allows access to everything by default and restricts access based on profiles.
I’ve added plenty of rules over the years but this one is new to me.
sudo aa-status --count
apparmor module is loaded.
2073
99
You just might get away with it using a sym-link, just an example:
There are others who can explain this much better than I can, but let’s start with the basics which is that AppArmor is not meant to restrict access system-wide or globally.
Instead, you restrict specific applications from accessing x, y, or z.
Aha! That gives me the information I was looking for. I misinterpreted the intention of AppArmor. It is logical that it behaves per application, hence the name I guess
I rather not use a tool to do something it is not meant for.
Do you (or someone else reading this) know where I should be looking for preventing applications or commands executed in a shell to access certain directories?
Background is that I use Graphene OS on my phone, and that got me thinking about the security on my desktop. If I have a directory containing sensitive information, like for example a backup of my Signal chats, I would like to deny access by default and tell what commands or applications are allowed to read or write there. Like ls, rm, cd, cp, mv, etc. And the filemanager. And that’s it.
Only solution I know now to have it on offline backup. So I was hoping there is a tool or construct to use to deny by default.
I have restricted Firefox.deb Not the Snap from Documents and It dose ok. But this sounds to me as mistrust for users perhaps.
To prevent applications or commands executed in a shell from accessing certain directories, you can implement several strategies:
Restricted Shell : Use a restricted shell like rbash or lshell . A restricted shell limits the user’s ability to change directories, execute certain commands, and access files outside their home directory. For example, you can set up a restricted shell by setting the user’s shell to /bin/rbash and configuring the PATH to a directory containing only the allowed binaries and scripts.2
Filesystem Permissions : Utilize Linux filesystem permissions to control access to directories. You can set permissions on directories to restrict read, write, and execute access. For example, you can set the permissions of sensitive directories to be readable and executable only by specific users or groups.
Mandatory Access Control (MAC) : Implement a MAC system like AppArmor or SELinux. These systems allow you to define policies that control which processes can access specific files and directories. For instance, you can set up an AppArmor profile for a user’s shell that restricts access to certain directories.
Chroot Jails : Use chroot to create a jailed environment where the user’s view of the filesystem is limited to a specific directory tree. This can prevent users from accessing directories outside the chroot environment.
Groups and Permissions : Create groups and set the group ownership of executables to control who can run certain programs. For example, you can set the group of an executable to a specific group and add users to that group to grant them access.
By combining these methods, you can effectively restrict access to certain directories and commands, enhancing the security of your system.
You might also find filesystem attributes interesting for such kind of restrictions, take a look at the chattr tool (i.e. man chattr) it operates on a lower level than filesystem permissions (i.e. what you set with chmod)
