[apparmor] [Merge] lp:~smcv/apparmor/cpus-conf into lp:apparmor
smcv at collabora.com
Wed Apr 12 17:43:25 UTC 2017
Simon McVittie has proposed merging lp:~smcv/apparmor/cpus-conf into lp:apparmor.
AppArmor Developers (apparmor-dev)
For more details, see:
abstractions/base: Allow sysconf(_SC_NPROCESSORS_CONF)
glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.
For context: while testing a confined process that invokes apparmor_parser under its own profile, I noticed that apparmor_parser does this. For now I'm adding it to that process's profile, but it seems like something that could reasonably go in <abstractions/base> - in practice on consumer systems the answer is going to be the same as cpu/online, which we already allow reading.
(I realise that's an odd thing to do, because that confined process needs to exercise CAP_MAC_ADMIN, making it all-powerful. However, the confinement is aiming to prevent accidentally reading untrusted content into a TCB process, rather than preventing the process itself from escalating privileges.)
Your team AppArmor Developers is requested to review the proposed merge of lp:~smcv/apparmor/cpus-conf into lp:apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 452 bytes
Desc: not available
More information about the AppArmor