github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/apparmor.profile (about) 1 #include <tunables/global> 2 3 profile example_profile { 4 #include <abstractions/base> 5 6 /path/to/allowed/file rw, 7 /path/to/allowed/directory/ rw, 8 9 /path/to/denied/file ix, 10 /path/to/denied/directory/** ix, 11 12 # You can add more rules as needed. 13 14 # Deny everything else by default 15 / ix, 16 17 # Allow reading for some directories 18 /etc/ r, 19 /usr/ r, 20 /var/ r, 21 /lib/ r, 22 /bin/ r, 23 /sbin/ r, 24 25 # Allow connecting to the network 26 network, 27 28 # Allow necessary capabilities 29 capability, 30 31 # Allow signals 32 signal, 33 34 # Allow ptrace for debugging 35 ptrace, 36 37 # Allow accessing /proc entries 38 /proc/** r, 39 40 # Allow access to shared libraries 41 /usr/lib/** mr, 42 /lib/** mr, 43 44 # Allow access to system fonts 45 /usr/share/fonts/** r, 46 47 # Allow accessing user's home directory 48 /home/[username]/ r, 49 50 # Deny access to sensitive files 51 deny /etc/shadow r, 52 deny /etc/passwd r, 53 deny /etc/gshadow r, 54 deny /etc/group r, 55 56 # Log denied access attempts 57 audit deny /path/to/denied/file, 58 audit deny /path/to/denied/directory/, 59 60 # Tunables 61 /etc/apparmor.d/tunables/home -> /home/, 62 /etc/apparmor.d/tunables/proc -> /proc/, 63 }