On Thu, Jul 24, 2014 at 12:30:21AM -0007, Cameron Norman wrote: > I have a profile with the rule "/proc/self/** r,", however the > application is not allowed to access /proc/self. > > Since /proc/self is a symlink, it resolves to the actual directory, > then the process trying to query its own attributes is denied > access. How can access to only /proc/self be accomplished?
At some point in the future, we'll introduce a new variable @{pid} that
can express "this process's pid", which would be useful for /proc/pid/..
and (typically lockfiles) with the pid included. It currently expands to
match all pids.
However, access to other processes' /proc/pid/* files will trigger the
apparmor ptrace 'read' checks, allowing you to control whether or not
those accesses will work:
# just this profile
ptrace read peer=@{profile_name},
In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can do.
It'll automatically tighten up when we introduce a @{pid} kernel-side
variable.
> P.S. please keep me CC'd, as I am not subscribed to this ML currently.
Thanks, always nice for the hint :)
Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
