No profile for an executing binary. No control.
There is a profile for an executing binary. The profile's access controls are enforced.
Processes are not by default bound to profiles.
Bounding is required before executing a file.
Enabled by writing “exec profile_name” at /proc/self/attr/apparmor
/proc/self/attr/apparmor
Binding a profile to an application with a specific profile can be done with aa-exec.
When a profile is used, everything is denied by default.
Exceptions must be explicitly allowed by the profile.
However, there are exceptions (e.g. rlimits).
Last updated 1 year ago