Skip to content

AppArmor.d

Rule too wide

roddhjav/apparmor.d

AppArmor.d

roddhjav/apparmor.d

Home
Home
- Home
  Home
- Getting Started
  Getting Started
- Advanced
  Advanced
- Troubleshooting
  Troubleshooting
  - Known issues
  - System Recovery
Security
Security
- Security
  Security
- Security Model
  Security Model
- Implementation
  Implementation
  - Security Architecture
  - Security Hardening
Development
Development
- Development
  Development
  - Roadmap
- Profiles
  Profiles
  - Workflow
  - Guidelines
  - Internal
  - Directives
  - Dbus
  - Recommendations
- Packages
  Packages
  - Building the profiles
- Tests
  Tests
Abstractions
Abstractions
- Abstractions
  Abstractions
- Layers
  Layers
- System
  System
- Specialized
  Specialized
Linter
Linter
- Linter
  Linter
- Security Checks
  Security Checks
  - Abstractions
  - Rule too wide Rule too wide
    On this page
    
    Problematic rule
    
    Correct rule
    
    Rationale
    
    Exceptions
    
    Related Resources
  - Transition
  - Tunables
- Compatibility Checks
  Compatibility Checks
  - Abi
  - Bin
  - Directory Mark
  - Equivalent
- Style Checks
  Style Checks

`too-wide`¶

Rule too wide may lead to confinement escape or data leaks.

Problematic rule¶

# WRONG
/tmp/** rw,

# WRONG
/etc/** rw,

Correct rule¶

Limit access to only required files as much as you can. For example:

/tmp/<profile>@{rand6}/{,**} rw,

/etc/<profile>/** rw,

Rationale¶

Full access to entire config and temporary directories is dangerous as it may allow confinement escape or data leaks. It is better to restrict access to only the required files or subdirectories.

Exceptions¶

When a profile needs access to the full system, because it is a package manager for example.