On 07/25/2014 12:05 PM, Felix Geyer wrote:
> On 25.07.2014 07:49, John Johansen wrote:
>> On 07/23/2014 05:37 PM, Cameron Norman wrote:
>>> I have a profile with the rule "/proc/self/** r,", however the application
>>> is not allowed to access /proc/self.
>>>
>>> Since /proc/self is a symlink, it resolves to the actual directory, then
>>> the process trying to query its own attributes is denied access. How can
>>> access to only /proc/self be accomplished?
>>>
>>
>> Unfortunately this is something that is not currently possible, due to
>> how path resolution is done. We do have plans to fix this via a kernel
>> variable (@{pid}) that will be matched at enforcement time. The rule
>> would be
>> /proc/@{pid}/** r,
>>
>> we have started to use this in some policy so that the policy will
>> use it when the feature becomes available.
>
> Introducing a variable and later narrowing down the allowed paths sounds a
> bit dangerous to me.
>
It could be, but at the same time if we are careful about it, we have much
better
policy and support when the feature lands
> I now assume @{pid} is supposed to be "matches the pid of the process" and
> @{pids} is "matches all
> pids". Before reading this thread it wasn't clear to me.
> It would be nice to have that documented in the tunables file.
>
yes the commenting in the tunables file could be better
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
