[apparmor] How to confine querying of /proc to /proc/self?
Seth Arnold
seth.arnold at canonical.com
Fri Jul 25 06:00:02 UTC 2014
On Thu, Jul 24, 2014 at 12:30:21AM -0007, Cameron Norman wrote:
> I have a profile with the rule "/proc/self/** r,", however the
> application is not allowed to access /proc/self.
>
> Since /proc/self is a symlink, it resolves to the actual directory,
> then the process trying to query its own attributes is denied
> access. How can access to only /proc/self be accomplished?
At some point in the future, we'll introduce a new variable @{pid} that
can express "this process's pid", which would be useful for /proc/pid/..
and (typically lockfiles) with the pid included. It currently expands to
match all pids.
However, access to other processes' /proc/pid/* files will trigger the
apparmor ptrace 'read' checks, allowing you to control whether or not
those accesses will work:
# just this profile
ptrace read peer=@{profile_name},
In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can do.
It'll automatically tighten up when we introduce a @{pid} kernel-side
variable.
> P.S. please keep me CC'd, as I am not subscribed to this ML currently.
Thanks, always nice for the hint :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140724/06da4fe8/attachment.pgp>
More information about the AppArmor
mailing list