[apparmor] [profile] netstat: cannot open /proc/net/dev (permission denied.) Limited output.
Seth Arnold
seth.arnold at canonical.com
Wed Dec 6 21:20:41 UTC 2017
On Wed, Dec 06, 2017 at 07:14:05PM +0000, daniel curtis wrote:
> ✗ apparmor="DENIED" operation="open" profile="/bin/netstat"
> name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r"
> denied_mask="r" fsuid=0 ouid=0
>$
> As we can see, there is a simple "DENIED" action referring to the {PROC}
> folder. What all of you thinks about adding something like this to the
> netstat profile? (Which one is a better choice? I would like to use the
> first rule, because it uses a new '@{pid}' type.)
>$
> @{PROC}/@{pid}/net/dev r,
> @{PROC}/[0-9]*/net/dev r,
Hello Daniel, nice find.
I strongly recommend using:
@{PROC}/@{pids}/net/dev r,
@{pid} will probably mean "this specific process's pid" at some point in
the future. @{pids} will remain "all valid pids".
> And what about an "owner" prefix? Is it needed here? Because of a "missing
> interface information" line found in error, I decided to add an interface
> (an example: '$ sudo netstat -ni enp0s11') but an error message was exactly
> the same as above. Log file entry was also the same, of course except PIDs
> numbers.
Don't add 'owner' to netstat rules: an administrator needs to inspect all
processes owned by all users.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171206/b7c26208/attachment.sig>
More information about the AppArmor
mailing list