[apparmor] aa_getcon
John Johansen
john.johansen at canonical.com
Wed Jul 18 17:05:17 UTC 2012
On 07/18/2012 02:59 AM, Jeroen Ooms wrote:
>> yes, the profile needs access to the interface. Currently the language
>> does not have a shorthand for this so use
>>
>> @{PROC}/[0-9]*/attr/current r,
>
>
> Thanks I got it to work. Is this in any way a security risk, or is it
> quite harmless to add this line? Eg it cannot be used to read a hat's
> magic-token right?
>
It only allows reading what profile/mode a process has applied. The
kernel does not make the magic-token visible in any way.
The permission rule is wider than I would like, in that it allows
access to every tasks profile confinement information. For many tasks
it could be tightened down to
@{PROC}/@{PID}/attr/current r,
but the dynamic kernel variable @{PID} isn't available yet so the
wider pattern match is the best we can do yet
More information about the AppArmor
mailing list