[apparmor] Retrofitting & access-control impedance mismatch for MinorFs

Seth Arnold seth.arnold at canonical.com
Tue Jun 25 19:11:38 UTC 2013

On Tue, Jun 25, 2013 at 06:31:09AM +0200, Rob Meijer wrote:
> > apparmor 3 which is currently in dev makes it much easier to add and
> > replace a default profile.
> That's amazing news. Could the above blocking of access to
> /proc/$(pid_other_than_self)/fd/* be easily expressed in such a default
> profile?

You'd probably also need kernel-side variables to land, to be able to
express it _this_ cleanly. (Well, you'd just leave out /proc/** entirely
from the default profile, and add /proc/#PID#/* r, -- where #PID# is
a hypothesized-and-not-actually-proposed kernel-side variable that is
"expanded" when needed. Maybe @{PID} would be perfect still.)

No, I can't promise kernel-side variables any time soon -- they're not
exactly easy to implement.

But it does seem the cleanest way to get you more or less what you want. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130625/6967fd6b/attachment.pgp>

More information about the AppArmor mailing list