On 25.07.2014 13:25, Christian Boltz wrote:
>> > In the meantime, @{PROC}/@{pid}/ r, is going to be the best you can
>> > do. It'll automatically tighten up when we introduce a @{pid}
>> > kernel-side variable.
> Well, it's nearly the best ;-)
>
> You can/should also add the "owner" keyword which excludes reading /proc
> entries of processes run by other users:
>
> owner @{PROC}/@{pid}/** r,
/proc/@{pid}/net/** is always root-owned though so you might need to allow that
without the owner modifier.
Cheers,
Felix
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
