On Wed, Dec 06, 2017 at 07:14:05PM +0000, daniel curtis wrote:
> ✗ apparmor="DENIED" operation="open" profile="/bin/netstat"
> name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r"
> denied_mask="r" fsuid=0 ouid=0
>$
> As we can see, there is a simple "DENIED" action referring to the {PROC}
> folder. What all of you thinks about adding something like this to the
> netstat profile? (Which one is a better choice? I would like to use the
> first rule, because it uses a new '@{pid}' type.)
>$
> @{PROC}/@{pid}/net/dev r,
> @{PROC}/[0-9]*/net/dev r,
Hello Daniel, nice find.
I strongly recommend using:
@{PROC}/@{pids}/net/dev r,
@{pid} will probably mean "this specific process's pid" at some point in
the future. @{pids} will remain "all valid pids".
> And what about an "owner" prefix? Is it needed here? Because of a "missing
> interface information" line found in error, I decided to add an interface
> (an example: '$ sudo netstat -ni enp0s11') but an error message was exactly
> the same as above. Log file entry was also the same, of course except PIDs
> numbers.
Don't add 'owner' to netstat rules: an administrator needs to inspect all
processes owned by all users.
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
