On Tue, Jun 25, 2013 at 06:31:09AM +0200, Rob Meijer wrote: > > apparmor 3 which is currently in dev makes it much easier to add and > > replace a default profile. > > That's amazing news. Could the above blocking of access to > /proc/$(pid_other_than_self)/fd/* be easily expressed in such a default > profile?
You'd probably also need kernel-side variables to land, to be able to
express it _this_ cleanly. (Well, you'd just leave out /proc/** entirely
from the default profile, and add /proc/#PID#/* r, -- where #PID# is
a hypothesized-and-not-actually-proposed kernel-side variable that is
"expanded" when needed. Maybe @{PID} would be perfect still.)
No, I can't promise kernel-side variables any time soon -- they're not
exactly easy to implement.
But it does seem the cleanest way to get you more or less what you want. :)
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
