bane
bane copied to clipboard
genuinetools
Proposal: Syntax for whitelisting approach
Hi,
First, thanks for this tool. Now, I'm trying to lock my containers as much as possible. Those are very simple and I would like to do something like:
...
[Filesystem]
ReadOnlyPaths = [
"/**"
]
LogOnWritePaths = [
"/**"
]
WritablePaths = [
"/dev/shm/nginx.pid"
]
AllowExec = [
"/usr/sbin/nginx"
]
# denied executable files
DenyExec = [
"/**"
]
...
But this does not work. I know the AppArmor syntax make this approach hard, but to you think it will be possible to implement this approach?
Maybe use those kind of strange rules/regex in AppArmor: /dev/{?,??,[^s][^h][^m]**}?
What do you think?
