On 25.07.2014 07:49, John Johansen wrote:
> On 07/23/2014 05:37 PM, Cameron Norman wrote:
>> I have a profile with the rule "/proc/self/** r,", however the application
>> is not allowed to access /proc/self.
>>
>> Since /proc/self is a symlink, it resolves to the actual directory, then the
>> process trying to query its own attributes is denied access. How can access
>> to only /proc/self be accomplished?
>>
>
> Unfortunately this is something that is not currently possible, due to
> how path resolution is done. We do have plans to fix this via a kernel
> variable (@{pid}) that will be matched at enforcement time. The rule
> would be
> /proc/@{pid}/** r,
>
> we have started to use this in some policy so that the policy will
> use it when the feature becomes available.
Introducing a variable and later narrowing down the allowed paths sounds a bit
dangerous to me.
I now assume @{pid} is supposed to be "matches the pid of the process" and
@{pids} is "matches all
pids". Before reading this thread it wasn't clear to me.
It would be nice to have that documented in the tunables file.
Cheers,
Felix
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
