Hello, Am Mittwoch, 6. Dezember 2017, 22:20:41 CET schrieb Seth Arnold: > On Wed, Dec 06, 2017 at 07:14:05PM +0000, daniel curtis wrote:
> > As we can see, there is a simple "DENIED" action referring to the
> > {PROC} folder. What all of you thinks about adding something like
> > this to the netstat profile? (Which one is a better choice? I would
> > like to use the first rule, because it uses a new '@{pid}' type.)
> I strongly recommend using:
>
> @{PROC}/@{pids}/net/dev r,
The profile already allows reading a dozen files there, and I'd guess
netstat is _the_ tool to read files in those directories.
So, silly question - is there anything in @{PROC}/@{pids}/net/ that
netstat should _not_ be allowed to read? (I'm not familiar with what all
those files provide, so maybe there are some sensitive files netstat
shouldn't be allowed to read.)
If nothing in @{PROC}/@{pids}/net/ is more sensitive than what we
already allow to read, what about
@{PROC}/@{pids}/net/* r,
or even
@{PROC}/@{pids}/net/** r,
?
Regards,
Christian Boltz
--
>du meinst die "persönliche Erfahrungen" der hier schreibenden, ja?
>dann ist es gut, dass du hier nicht gefragt hast was du zum sortieren
>deiner mails benutzen sollst. denn ansonsten wäre das wohl procmail.
Hehe, 1:0 für Dich. [> Michael Meyer und Thorsten Haude in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
