i'm trying to allow users to run applications like ps or htop while seeing only their own processes. Htop, for example, needs read permission to /proc/<pid>/cmdline BUT when a process changes uid from root to user, this happens:
 - directory /proc/<pid>/ is correctly owned by user
- file /proc/<pid>/cmdline is still owned by root (with world read permission)

If i do something like this:
/proc/ r,
owner /proc/** r,

such processes are not shown in ps/htop (because /proc/<pid>/cmdline is owned by root, not 'owner').

If i add this:
/proc/*/cmdline r,

Users can see all processes.

Any hints? Maybe something like 'deny entering directory (x permission)'.

AppArmor mailing list
Modify settings or unsubscribe at: 

Reply via email to