[apparmor] Deny other users /proc entries
azurit at pobox.sk
azurit at pobox.sk
Tue Mar 6 21:27:21 UTC 2018
Citát Arkadiusz Miśkiewicz <arekm at maven.pl>:
> On Tuesday 06 of March 2018, azurit at pobox.sk wrote:
>> Hi,
>>
>> i'm trying to allow users to run applications like ps or htop while
>> seeing only their own processes. Htop, for example, needs read
>> permission to /proc/<pid>/cmdline BUT when a process changes uid from
>> root to user, this happens:
>> - directory /proc/<pid>/ is correctly owned by user
>> - file /proc/<pid>/cmdline is still owned by root (with world read
>> permission)
>
> Do you really need to use apparmor for this?
>
> Mount /proc with hidepid=2 option (and add that to fstab).
>
> --
> Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Haha, thanks, didn't know about that. Funny is, that problem with
processes which changed uid are still a problem :) cannot access
(hidepid=1) or see (hidepid=2) them.
Any other hints?
More information about the AppArmor
mailing list