On 10/07/2013 02:52 PM, Tai Nguyen (tainguye) wrote:
> Hi,
>
> We have a server that needs to read the client /proc/<pid>/cmdline.
> Currently, file /proc/<pid>/cmdline belong to the domain of the running
> process.
> Is there any way that we can have a generalized rule for that process so that
> it can read all the /proc/<pid>/cmdline instead of creating rules for every
> client domain?
Well, first, I hope your server isn't basing any security decisions on
the value of /proc/pid/cmdline, or trusting that value in any way.
With regard to allowing it, you can allow it to read /proc/pid/cmdline
for all domains by writing allow rules with the domain attribute, e.g.
allow server domain:dir r_dir_perms;
allow server domain:{ file lnk_file } r_file_perms;
Or more succintly using the r_dir_file() macro as:
r_dir_file(server, domain)
If you want to allow it for just app domains, you can write similar
rules using the appdomain attribute rather than domain, e.g.
r_dir_file(server, appdomain)
If you want to restrict it to reading only specific domains identified
as its clients, then you should associate a new type attribute with each
client domain and then use that type attribute in the rules. You can do
that fairly transparently by embedding the typeattribute statement in
whatever macro you use to allow the client to connect to the server.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
