On Mon, Dec 01, 2014 at 05:19:33PM -0600, parspes wrote: > Hi everyone, > I have a tenative profile for bin.ps but I have a question before I > submit it to the package maintainer.I have received no response from > the package maintainer regarding a profile. > > I have identified three capabilitier requested by ps on my system: > dac_override > dac_read_search > sys_ptrace > > It appears that for general functioning the only absolutely necessary > capability is sys_ptrace, as well as I can discern. I request > suggestions about which capabilities should be allowed and which > should be denied. Thanks.
Hello Pat, The cap_dac_read_search is likely needed for /proc/<pid>/task/ thread enumeration for processes owned by other users; cap_dac_override is likely needed for all the other files in /proc/<pid>/ and subdirectories for processes owned by other users. There's two theories of thought here -- one is that you should deny the cap_dac_read_search and cap_dac_override so that users cannot discover what other users on the system are doing. The other is that you should allow them because that's a usual use of ps. If you're providing a profile for distribution to others, it is probably best to include all the necessary permissions: people expect their computers to work substantially identical with AppArmor installed as before. If you're building a profile for your own use, it might make sense to lock it down. You'll have to decide if that's a good idea or not. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor