[apparmor] Profile variable for the PID of the confined process?
John Johansen
john.johansen at canonical.com
Thu Mar 19 10:35:35 UTC 2015
On 03/19/2015 02:47 AM, intrigeri wrote:
> Hi,
>
> lots of our profiles give access to things like
> @{PROC}/@{pid}/[something], which in my understanding:
>
> 1. is unnecessarily wide open most of the time: the process often
> only needs to gather information about itself, not about any other
> process, right?
>
> 2. opens the door to side-channel attacks such as Memento:
> https://www.cs.utexas.edu/~shmat/shmat_oak12memento.pdf
>
> (hidepid= could help a bit wrt. #2, but the simplistic way in which
> it's implemented in the kernel isn't compatible with systemd
> currently, so that's not an option for many modern distros.)
>
> => do we have a variable like @{self} or @{current_pid}, that would
> allow us to adjust profiles, so that processes are restricted to read
> information about themselves only?
>
Not yet, I have done work towards providing this but it isn't available
yet.
The plan has been to leverage the existing @{pid} as the kernel variable
so that profiles automatically become tighter.
More information about the AppArmor
mailing list