[apparmor] How to confine querying of /proc to /proc/self?
Felix Geyer
debfx at ubuntu.com
Fri Jul 25 19:17:39 UTC 2014
On 25.07.2014 13:25, Christian Boltz wrote:
>> > In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can
>> > do. It'll automatically tighten up when we introduce a @{pid}
>> > kernel-side variable.
> Well, it's nearly the best ;-)
>
> You can/should also add the "owner" keyword which excludes reading /proc
> entries of processes run by other users:
>
> owner @{PROC}/@{pid}/** r,
/proc/@{pid}/net/** is always root-owned though so you might need to allow that
without the owner modifier.
Cheers,
Felix
More information about the AppArmor
mailing list