Simon McVittie has proposed merging lp:~smcv/apparmor/cpus-conf into lp:apparmor.
Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~smcv/apparmor/cpus-conf/+merge/322472 abstractions/base: Allow sysconf(_SC_NPROCESSORS_CONF) glibc implements this by doing a readdir() and filtering. We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is basically a read from /sys/devices/system/cpu/online. --- For context: while testing a confined process that invokes apparmor_parser under its own profile, I noticed that apparmor_parser does this. For now I'm adding it to that process's profile, but it seems like something that could reasonably go in <abstractions/base> - in practice on consumer systems the answer is going to be the same as cpu/online, which we already allow reading. (I realise that's an odd thing to do, because that confined process needs to exercise CAP_MAC_ADMIN, making it all-powerful. However, the confinement is aiming to prevent accidentally reading untrusted content into a TCB process, rather than preventing the process itself from escalating privileges.) -- Your team AppArmor Developers is requested to review the proposed merge of lp:~smcv/apparmor/cpus-conf into lp:apparmor.
=== modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2017-01-21 01:01:50 +0000 +++ profiles/apparmor.d/abstractions/base 2017-04-12 17:42:54 +0000 @@ -82,6 +82,7 @@ @{PROC}/meminfo r, @{PROC}/stat r, @{PROC}/cpuinfo r, + /sys/devices/system/cpu/ r, /sys/devices/system/cpu/online r, # glibc's *printf protections read the maps file
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor