Hello,
Am Freitag, 18. November 2016, 11:14:52 CET schrieb Seth Arnold:
> On Fri, Nov 18, 2016 at 07:47:48PM +0100, daniel curtis wrote:
> > So if AppArmor DENIED /proc/2496/net/arp (requested_mask="r"
> > denied_mask="r") access and according to yours words I should use
> > such rule:
> >
> > @{PROC}/[0-9]*/net/arp r,
> >
> > Am I right? It is a sufficient rule? Can you confirm this?
>
> Hi Daniel, this rule should be sufficient to allow firefox's new netid
> feature to work.
For bonus points, you can use
@{PROC}/@{pid}/net/arp r,
which currently expands to "one or more digits" (see tunables/kernelvars
for the exact definition) and is not too different from [0-9]* [1].
The reason for using @{pid} is that we have plans to make it a kernel-
side variable so that @{pid} will be interpreted as "this process' own
pid only". Note that this is a _plan_ and that I didn't mention any date
;-)
We also have a variable @{pids} for "all pids".
Regards,
Christian Boltz
[1] "[0-9]*" means a digit, followed by any number of any char (not only
digits) - but thanks to the /proc/ layout, there is no real
difference in practise
--
Eine kurze richtige Antwort (mancher mag sie als unfreundlich
bezeichnen) ist besser als eine lange, freundliche, falsche.
[Dirk H. Hohndel, SuSE]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
