[apparmor] PS Profile question
Seth Arnold
seth.arnold at canonical.com
Mon Dec 1 23:48:39 UTC 2014
On Mon, Dec 01, 2014 at 05:19:33PM -0600, parspes wrote:
> Hi everyone,
> I have a tenative profile for bin.ps but I have a question before I
> submit it to the package maintainer.I have received no response from
> the package maintainer regarding a profile.
>
> I have identified three capabilitier requested by ps on my system:
> dac_override
> dac_read_search
> sys_ptrace
>
> It appears that for general functioning the only absolutely necessary
> capability is sys_ptrace, as well as I can discern. I request
> suggestions about which capabilities should be allowed and which
> should be denied. Thanks.
Hello Pat,
The cap_dac_read_search is likely needed for /proc/<pid>/task/ thread
enumeration for processes owned by other users; cap_dac_override is
likely needed for all the other files in /proc/<pid>/ and subdirectories
for processes owned by other users.
There's two theories of thought here -- one is that you should deny the
cap_dac_read_search and cap_dac_override so that users cannot discover
what other users on the system are doing. The other is that you should
allow them because that's a usual use of ps.
If you're providing a profile for distribution to others, it is probably
best to include all the necessary permissions: people expect their
computers to work substantially identical with AppArmor installed
as before.
If you're building a profile for your own use, it might make sense to lock
it down. You'll have to decide if that's a good idea or not.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141201/c98aa6ec/attachment.pgp>
More information about the AppArmor
mailing list