Proposal: Syntax for whitelisting approach #16
Description
Hi,
First, thanks for this tool.
Now, I'm trying to lock my containers as much as possible. Those are very simple and I would like to do something like:
...
[Filesystem]
ReadOnlyPaths = [
"/**"
]
LogOnWritePaths = [
"/**"
]
WritablePaths = [
"/dev/shm/nginx.pid"
]
AllowExec = [
"/usr/sbin/nginx"
]
# denied executable files
DenyExec = [
"/**"
]
...
But this does not work. I know the AppArmor syntax make this approach hard, but to you think it will be possible to implement this approach?
Maybe use those kind of strange rules/regex in AppArmor: /dev/{?,??,[^s][^h][^m]**}?
What do you think?