[apparmor] How to confine querying of /proc to /proc/self?

Felix Geyer debfx at ubuntu.com
Fri Jul 25 19:05:39 UTC 2014


On 25.07.2014 07:49, John Johansen wrote:
> On 07/23/2014 05:37 PM, Cameron Norman wrote:
>> I have a profile with the rule "/proc/self/** r,", however the application is not allowed to access /proc/self.
>>
>> Since /proc/self is a symlink, it resolves to the actual directory, then the process trying to query its own attributes is denied access. How can access to only /proc/self be accomplished?
>>
> 
> Unfortunately this is something that is not currently possible, due to
> how path resolution is done. We do have plans to fix this via a kernel
> variable (@{pid}) that will be matched at enforcement time. The rule
> would be
>   /proc/@{pid}/** r,
> 
> we have started to use this in some policy so that the policy will
> use it when the feature becomes available.

Introducing a variable and later narrowing down the allowed paths sounds a bit dangerous to me.

I now assume @{pid} is supposed to be "matches the pid of the process" and @{pids} is "matches all
pids". Before reading this thread it wasn't clear to me.
It would be nice to have that documented in the tunables file.

Cheers,
Felix



More information about the AppArmor mailing list