[apparmor] How to confine querying of /proc to /proc/self?

Felix Geyer debfx at ubuntu.com
Fri Jul 25 19:17:39 UTC 2014

On 25.07.2014 13:25, Christian Boltz wrote:
>> > In the meantime, @{PROC}/@{pid}/  r,  is going to be the best you can
>> > do. It'll automatically tighten up when we introduce a @{pid}
>> > kernel-side variable.
> Well, it's nearly the best ;-)
> You can/should also add the "owner" keyword which excludes reading /proc 
> entries of processes run by other users:
>   owner @{PROC}/@{pid}/**  r,

/proc/@{pid}/net/** is always root-owned though so you might need to allow that
without the owner modifier.


More information about the AppArmor mailing list