On 07/23/2014 05:37 PM, Cameron Norman wrote:
> I have a profile with the rule "/proc/self/** r,", however the application is
> not allowed to access /proc/self.
>
> Since /proc/self is a symlink, it resolves to the actual directory, then the
> process trying to query its own attributes is denied access. How can access
> to only /proc/self be accomplished?
>
Unfortunately this is something that is not currently possible, due to
how path resolution is done. We do have plans to fix this via a kernel
variable (@{pid}) that will be matched at enforcement time. The rule
would be
/proc/@{pid}/** r,
we have started to use this in some policy so that the policy will
use it when the feature becomes available.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
