github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/apparmor.profile

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/apparmor.profile (about)

     1  #include <tunables/global>
     2  
     3  profile example_profile {
     4    #include <abstractions/base>
     5  
     6    /path/to/allowed/file rw,
     7    /path/to/allowed/directory/ rw,
     8  
     9    /path/to/denied/file ix,
    10    /path/to/denied/directory/** ix,
    11  
    12    # You can add more rules as needed.
    13  
    14    # Deny everything else by default
    15    /  ix,
    16  
    17    # Allow reading for some directories
    18    /etc/ r,
    19    /usr/ r,
    20    /var/ r,
    21    /lib/ r,
    22    /bin/ r,
    23    /sbin/ r,
    24  
    25    # Allow connecting to the network
    26    network,
    27  
    28    # Allow necessary capabilities
    29    capability,
    30  
    31    # Allow signals
    32    signal,
    33  
    34    # Allow ptrace for debugging
    35    ptrace,
    36  
    37    # Allow accessing /proc entries
    38    /proc/** r,
    39  
    40    # Allow access to shared libraries
    41    /usr/lib/** mr,
    42    /lib/** mr,
    43  
    44    # Allow access to system fonts
    45    /usr/share/fonts/** r,
    46  
    47    # Allow accessing user's home directory
    48    /home/[username]/ r,
    49  
    50    # Deny access to sensitive files
    51    deny /etc/shadow r,
    52    deny /etc/passwd r,
    53    deny /etc/gshadow r,
    54    deny /etc/group r,
    55  
    56    # Log denied access attempts
    57    audit deny /path/to/denied/file,
    58    audit deny /path/to/denied/directory/,
    59  
    60    # Tunables
    61    /etc/apparmor.d/tunables/home -> /home/,
    62    /etc/apparmor.d/tunables/proc -> /proc/,
    63  }