[apparmor] How to confine querying of /proc to /proc/self?

John Johansen john.johansen at canonical.com
Fri Jul 25 22:41:15 UTC 2014


On 07/25/2014 12:05 PM, Felix Geyer wrote:
> On 25.07.2014 07:49, John Johansen wrote:
>> On 07/23/2014 05:37 PM, Cameron Norman wrote:
>>> I have a profile with the rule "/proc/self/** r,", however the application is not allowed to access /proc/self.
>>>
>>> Since /proc/self is a symlink, it resolves to the actual directory, then the process trying to query its own attributes is denied access. How can access to only /proc/self be accomplished?
>>>
>>
>> Unfortunately this is something that is not currently possible, due to
>> how path resolution is done. We do have plans to fix this via a kernel
>> variable (@{pid}) that will be matched at enforcement time. The rule
>> would be
>>   /proc/@{pid}/** r,
>>
>> we have started to use this in some policy so that the policy will
>> use it when the feature becomes available.
> 
> Introducing a variable and later narrowing down the allowed paths sounds a bit dangerous to me.
> 
It could be, but at the same time if we are careful about it, we have much better
policy and support when the feature lands

> I now assume @{pid} is supposed to be "matches the pid of the process" and @{pids} is "matches all
> pids". Before reading this thread it wasn't clear to me.
> It would be nice to have that documented in the tunables file.
> 
yes the commenting in the tunables file could be better




More information about the AppArmor mailing list