[apparmor] [profile] Firefox: "DENIED", requested/denied_mask="r" for /proc/*/net/arp.
Christian Boltz
apparmor at cboltz.de
Fri Nov 18 19:30:26 UTC 2016
Hello,
Am Freitag, 18. November 2016, 11:14:52 CET schrieb Seth Arnold:
> On Fri, Nov 18, 2016 at 07:47:48PM +0100, daniel curtis wrote:
> > So if AppArmor DENIED /proc/2496/net/arp (requested_mask="r"
> > denied_mask="r") access and according to yours words I should use
> > such rule:
> >
> > @{PROC}/[0-9]*/net/arp r,
> >
> > Am I right? It is a sufficient rule? Can you confirm this?
>
> Hi Daniel, this rule should be sufficient to allow firefox's new netid
> feature to work.
For bonus points, you can use
@{PROC}/@{pid}/net/arp r,
which currently expands to "one or more digits" (see tunables/kernelvars
for the exact definition) and is not too different from [0-9]* [1].
The reason for using @{pid} is that we have plans to make it a kernel-
side variable so that @{pid} will be interpreted as "this process' own
pid only". Note that this is a _plan_ and that I didn't mention any date
;-)
We also have a variable @{pids} for "all pids".
Regards,
Christian Boltz
[1] "[0-9]*" means a digit, followed by any number of any char (not only
digits) - but thanks to the /proc/ layout, there is no real
difference in practise
--
Eine kurze richtige Antwort (mancher mag sie als unfreundlich
bezeichnen) ist besser als eine lange, freundliche, falsche.
[Dirk H. Hohndel, SuSE]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161118/e44c5d7b/attachment.pgp>
More information about the AppArmor
mailing list