aa_getcon() does use /proc/<pid>/attr/current. The problem is, we can't allow apps to access this file because we cannot currently limit the pid to self. Ie, this is what we want:
@{PROC}/self/attr/current r,
but this is what we must use now:
@{PROC}/[0-9]*/attr/current r,
Therefore, if we allowed that ^, an app could easily enumerate what apps are installed on the device, which constitutes an information disclosure issue. That said, I can happily silence the denial with:
deny @{PROC}/[0-9]*/attr/current r,
if the scopes runner can handle this well. Note, I'm pretty sure we pointed you at aa_getcon(), however we didn't expect it to be run from within a confined scope process.
aa_getcon() does use /proc/< pid>/attr/ current. The problem is, we can't allow apps to access this file because we cannot currently limit the pid to self. Ie, this is what we want: /self/attr/ current r,
@{PROC}
but this is what we must use now: /[0-9]* /attr/current r,
@{PROC}
Therefore, if we allowed that ^, an app could easily enumerate what apps are installed on the device, which constitutes an information disclosure issue. That said, I can happily silence the denial with: /[0-9]* /attr/current r,
deny @{PROC}
if the scopes runner can handle this well. Note, I'm pretty sure we pointed you at aa_getcon(), however we didn't expect it to be run from within a confined scope process.