[apparmor] Any plans for something like @{PROC}/@PID/ or @{PROCSELF} ?
Seth Arnold
seth.arnold at gmail.com
Wed Sep 14 00:15:53 UTC 2011
>> Right now we have a mix of "*" and "[0-9]*" in the abstractions:
>>
>> base: @{PROC}/*/maps r,
>> bash: @{PROC}/[0-9]*/mounts r,
> But then people will think they have a specific process id when they have
> a kernel version that can't handle it ;)
When I read the first proposal here, this was my exact thought; my initial
guess on what to do about it involved _two_ variables:
@{PIDS}=[0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?
@{MYPID}= @{PIDS} until @{__KERNEL_PID__} is available
Some profiles should grant access to all pids (gdb? strace? blcr? upstart?
systemd?) and other profiles should grant access to only the current
process id. (I imagine both abstractions quoted here are the latter case.)
More information about the AppArmor
mailing list