[pkg-apparmor] Bug#771978: Patch: apparmor profile for ps
Seth Arnold
seth.arnold at canonical.com
Fri Dec 12 19:57:54 UTC 2014
On Fri, Dec 12, 2014 at 01:46:21PM +0100, intrigeri wrote:
> Craig Small wrote (06 Dec 2014 20:46:29 GMT) :
> > I have tested this with ps and it seems that all the flags are working
> > OK. I couldn't break it with the usual combination of ps options.
>
> Thanks for testing!
Very nice, thanks.
> OK, then I would simply replace all @{PROC}@{pid} lines with:
>
> @{PROC}@{pid}/** r,
>
On Fri, Dec 12, 2014 at 01:53:53PM +0100, intrigeri wrote:
> > You suggest that we just add a blanket whitelist with code such as
> > @{PROC}** r perhaps?
>
> I've suggested "@{PROC}/@{pid}/** r," in another sub-thread.
I believe "@{PROC}/@{pids}/** r," (note the pid*s*) would be a better fit;
the intention is that we'll eventually have a kernel-side variable for
@{pid} that applies to only the current process and @{pids} will continue to
refer to all possible pids.
(Depending upon how many in-the-wild profiles assume @{pid} refers to all
pids, we might not be able to actually make that change, but that was the
hope when we introduced @{pid} and @{pids}.)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20141212/96bc2eaf/attachment.sig>
More information about the pkg-apparmor-team
mailing list