Hello, Am Freitag, 18. November 2016, 11:14:52 CET schrieb Seth Arnold: > On Fri, Nov 18, 2016 at 07:47:48PM +0100, daniel curtis wrote: > > So if AppArmor DENIED /proc/2496/net/arp (requested_mask="r" > > denied_mask="r") access and according to yours words I should use > > such rule: > > > > @{PROC}/[0-9]*/net/arp r, > > > > Am I right? It is a sufficient rule? Can you confirm this? > > Hi Daniel, this rule should be sufficient to allow firefox's new netid > feature to work.
For bonus points, you can use @{PROC}/@{pid}/net/arp r, which currently expands to "one or more digits" (see tunables/kernelvars for the exact definition) and is not too different from [0-9]* [1]. The reason for using @{pid} is that we have plans to make it a kernel- side variable so that @{pid} will be interpreted as "this process' own pid only". Note that this is a _plan_ and that I didn't mention any date ;-) We also have a variable @{pids} for "all pids". Regards, Christian Boltz [1] "[0-9]*" means a digit, followed by any number of any char (not only digits) - but thanks to the /proc/ layout, there is no real difference in practise -- Eine kurze richtige Antwort (mancher mag sie als unfreundlich bezeichnen) ist besser als eine lange, freundliche, falsche. [Dirk H. Hohndel, SuSE]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor