[apparmor] [profile] netstat: cannot open /proc/net/dev (permission denied.) Limited output.
Christian Boltz
apparmor at cboltz.de
Thu Dec 7 12:44:09 UTC 2017
Hello,
Am Mittwoch, 6. Dezember 2017, 22:20:41 CET schrieb Seth Arnold:
> On Wed, Dec 06, 2017 at 07:14:05PM +0000, daniel curtis wrote:
> > As we can see, there is a simple "DENIED" action referring to the
> > {PROC} folder. What all of you thinks about adding something like
> > this to the netstat profile? (Which one is a better choice? I would
> > like to use the first rule, because it uses a new '@{pid}' type.)
> I strongly recommend using:
>
> @{PROC}/@{pids}/net/dev r,
The profile already allows reading a dozen files there, and I'd guess
netstat is _the_ tool to read files in those directories.
So, silly question - is there anything in @{PROC}/@{pids}/net/ that
netstat should _not_ be allowed to read? (I'm not familiar with what all
those files provide, so maybe there are some sensitive files netstat
shouldn't be allowed to read.)
If nothing in @{PROC}/@{pids}/net/ is more sensitive than what we
already allow to read, what about
@{PROC}/@{pids}/net/* r,
or even
@{PROC}/@{pids}/net/** r,
?
Regards,
Christian Boltz
--
>du meinst die "persönliche Erfahrungen" der hier schreibenden, ja?
>dann ist es gut, dass du hier nicht gefragt hast was du zum sortieren
>deiner mails benutzen sollst. denn ansonsten wäre das wohl procmail.
Hehe, 1:0 für Dich. [> Michael Meyer und Thorsten Haude in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171207/fa16333c/attachment.sig>
More information about the AppArmor
mailing list