[apparmor] Deny other users /proc entries

azurit at pobox.sk azurit at pobox.sk
Tue Mar 6 21:11:18 UTC 2018


Hi,

i'm trying to allow users to run applications like ps or htop while  
seeing only their own processes. Htop, for example, needs read  
permission to /proc/<pid>/cmdline BUT when a process changes uid from  
root to user, this happens:
  - directory /proc/<pid>/ is correctly owned by user
  - file /proc/<pid>/cmdline is still owned by root (with world read  
permission)

If i do something like this:
/proc/ r,
owner /proc/** r,

such processes are not shown in ps/htop (because /proc/<pid>/cmdline  
is owned by root, not 'owner').

If i add this:
/proc/*/cmdline r,

Users can see all processes.

Any hints? Maybe something like 'deny entering directory (x permission)'.





More information about the AppArmor mailing list