[apparmor] Profile variable for the PID of the confined process?

[intrigeri]

Hi,

lots of our profiles give access to things like
@{PROC}/@{pid}/[something], which in my understanding:

 1. is unnecessarily wide open most of the time: the process often
    only needs to gather information about itself, not about any other
    process, right?

 2. opens the door to side-channel attacks such as Memento:
    https://www.cs.utexas.edu/~shmat/shmat_oak12memento.pdf

(hidepid= could help a bit wrt. #2, but the simplistic way in which
it's implemented in the kernel isn't compatible with systemd
currently, so that's not an option for many modern distros.)

=> do we have a variable like @{self} or @{current_pid}, that would
allow us to adjust profiles, so that processes are restricted to read
information about themselves only?

Thanks!

Cheers,
-- 
intrigeri