[apparmor] How to confine querying of /proc to /proc/self?
Christian Boltz
apparmor at cboltz.de
Fri Jul 25 11:25:31 UTC 2014
Hello,
Am Donnerstag, 24. Juli 2014 schrieb Seth Arnold:
> ptrace read peer=@{profile_name},
Note that ptrace rule was introduced in AppArmor 2.8.95 (= 2.9 beta1).
It's not available in older releases.
> In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can
> do. It'll automatically tighten up when we introduce a @{pid}
> kernel-side variable.
Well, it's nearly the best ;-)
You can/should also add the "owner" keyword which excludes reading /proc
entries of processes run by other users:
owner @{PROC}/@{pid}/** r,
Regards,
Christian Boltz
--
Nur beim Account meines Hundes (der ist mein Test-User)
sind alle Desktop-Icons weg [...]
Aber der geht eh nicht so oft an den Rechner.
[Bernd Kloss in suse-linux]
More information about the AppArmor
mailing list