Hello,
Am Donnerstag, 24. Juli 2014 schrieb Seth Arnold:
> ptrace read peer=@{profile_name},
Note that ptrace rule was introduced in AppArmor 2.8.95 (= 2.9 beta1).
It's not available in older releases.
> In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can
> do. It'll automatically tighten up when we introduce a @{pid}
> kernel-side variable.
Well, it's nearly the best ;-)
You can/should also add the "owner" keyword which excludes reading /proc
entries of processes run by other users:
owner @{PROC}/@{pid}/** r,
Regards,
Christian Boltz
--
Nur beim Account meines Hundes (der ist mein Test-User)
sind alle Desktop-Icons weg [...]
Aber der geht eh nicht so oft an den Rechner.
[Bernd Kloss in suse-linux]
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
