[apparmor] Deny other users /proc entries
azurit at pobox.sk
azurit at pobox.sk
Tue Mar 6 21:11:18 UTC 2018
Hi,
i'm trying to allow users to run applications like ps or htop while
seeing only their own processes. Htop, for example, needs read
permission to /proc/<pid>/cmdline BUT when a process changes uid from
root to user, this happens:
- directory /proc/<pid>/ is correctly owned by user
- file /proc/<pid>/cmdline is still owned by root (with world read
permission)
If i do something like this:
/proc/ r,
owner /proc/** r,
such processes are not shown in ps/htop (because /proc/<pid>/cmdline
is owned by root, not 'owner').
If i add this:
/proc/*/cmdline r,
Users can see all processes.
Any hints? Maybe something like 'deny entering directory (x permission)'.
More information about the AppArmor
mailing list