On 12/31/2016 01:41 PM, daniel curtis wrote: > > Hi John > > Thanks for an answer and explanation. I've created a bug report, because you > have written, that: "A bug would be good, I'll try fixing it soon and will > need a bug to reference when I push the fix". Please see [1]. > yes, as I mentioned there is a bug with the reporting of the target= profile name, I will use the bug for that
> Anyway, I should add a rule mentioned by me in a Launchpad bug report, right? > I mean this one: > > @{PROC}/[0-9]*/net/tcp r, > > It's secure enough, even if that log entry showed up after running netstat(8) > as a normal user - not via sudo(8)? > well that depends on what you are trying to achieve, but likely this is good enough for your use case. This will limit netstat to reading the proc net/tcp for any given process. You could restrict it more by using an owner prefix to limit it to reading only processes owned by the user but then you would be also limiting the sudo use case, unless you did more work to give root users a different profile. > Best regards. > _____________ > [1] https://lists.ubuntu.com/archives/apparmor/2016-December/010329.html > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor