i'm trying to allow users to run applications like ps or htop while
seeing only their own processes. Htop, for example, needs read
permission to /proc/<pid>/cmdline BUT when a process changes uid from
root to user, this happens:
- directory /proc/<pid>/ is correctly owned by user
- file /proc/<pid>/cmdline is still owned by root (with world read
If i do something like this:
owner /proc/** r,
such processes are not shown in ps/htop (because /proc/<pid>/cmdline
is owned by root, not 'owner').
If i add this:
Users can see all processes.
Any hints? Maybe something like 'deny entering directory (x permission)'.
AppArmor mailing list
Modify settings or unsubscribe at: