13Şub
AppArmor deny all files except specifics
I have a Rust-app which uses PyO3 to execute arbitrary Python code. The Python code should only be able to do basic math operations and in now way should be able to access the network (except UnixSockets) or have access to files except a few paths.
I was able to configure AppArmor to deny network access. But now I want to have a configuration which denies access to all paths in my home directory except a few paths necessary for the code.
#include <tunables/global>
/home/test/rust-server/target/debug/python-executor flags=(complain) {
# deny all outgoing network requests.
deny network inet,
deny network inet6,
deny network tcp,
deny network udp,
# deny all files in home folder.
deny file /home/test/** rwkx,
# allow files for smem and unixsockets.
allow file /home/test/rust-server/tmp/** rwkml,
allow file /home/test/rust-server/tmp/sockets/** rwkml,
allow file /home/test/rust-server/tmp/shmem/** rwkml,
#allow reading python scripts in trading_algos.
allow file /home/test/rust-server/trading_algos/** r,
}
The logic was that I start by denying all files first, and then specify the files it should have access to. This AppArmor profile denies all files in the home folder, also the ones specified with allow.
