Hi,
i'm trying to allow users to run applications like ps or htop while
seeing only their own processes. Htop, for example, needs read
permission to /proc/<pid>/cmdline BUT when a process changes uid from
root to user, this happens:
- directory /proc/<pid>/ is correctly owned by user
- file /proc/<pid>/cmdline is still owned by root (with world read
permission)
If i do something like this:
/proc/ r,
owner /proc/** r,
such processes are not shown in ps/htop (because /proc/<pid>/cmdline
is owned by root, not 'owner').
If i add this:
/proc/*/cmdline r,
Users can see all processes.
Any hints? Maybe something like 'deny entering directory (x permission)'.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
