[apparmor] Deny other users /proc entries
Arkadiusz Miśkiewicz
arekm at maven.pl
Tue Mar 6 21:15:34 UTC 2018
On Tuesday 06 of March 2018, azurit at pobox.sk wrote:
> Hi,
>
> i'm trying to allow users to run applications like ps or htop while
> seeing only their own processes. Htop, for example, needs read
> permission to /proc/<pid>/cmdline BUT when a process changes uid from
> root to user, this happens:
> - directory /proc/<pid>/ is correctly owned by user
> - file /proc/<pid>/cmdline is still owned by root (with world read
> permission)
Do you really need to use apparmor for this?
Mount /proc with hidepid=2 option (and add that to fstab).
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
More information about the AppArmor
mailing list