[apparmor] How to confine querying of /proc to /proc/self?
John Johansen
john.johansen at canonical.com
Fri Jul 25 05:49:41 UTC 2014
On 07/23/2014 05:37 PM, Cameron Norman wrote:
> I have a profile with the rule "/proc/self/** r,", however the application is not allowed to access /proc/self.
>
> Since /proc/self is a symlink, it resolves to the actual directory, then the process trying to query its own attributes is denied access. How can access to only /proc/self be accomplished?
>
Unfortunately this is something that is not currently possible, due to
how path resolution is done. We do have plans to fix this via a kernel
variable (@{pid}) that will be matched at enforcement time. The rule
would be
/proc/@{pid}/** r,
we have started to use this in some policy so that the policy will
use it when the feature becomes available.
More information about the AppArmor
mailing list