Define current process's PID in apparmor profile
Bug #1546825 reported by
Uzair Shamim
This bug affects 7 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| AppArmor |
Confirmed
|
Undecided
|
John Johansen | ||
Bug Description
Hi,
Would it be possible to implement a feature that allows administrators to define rules in the apparmor profile so that it uses the PID of the program the profile applies to?
The current setup will only allow rules like this:
/proc/*/something
It would be much more useful to be able to say something like this:
/proc/THISPID/
| information type: | Private Security → Public Security |
| Changed in apparmor: | |
| status: | New → Confirmed |
| assignee: | nobody → John Johansen (jjohansen) |
Revision history for this message
| Seth Arnold (seth-arnold) wrote | #1 |
Revision history for this message
| John Johansen (jjohansen) wrote | #2 |
| tags: | added: aa-feature aa-kernel aa-parser |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #3 |
To post a comment you must log in.
The long-term plan is to add kernel-side variable support for some features, including one for pids. The @{pid} variable is today a fairly ugly regex that matches pids and will one day match the current process's pid. The @{pids} variable will remain the fairly ugly regex that matches pids, so that an easy way to express "all pids" remains.
Thanks