Tetsuo Handa
2017-05-24 20:43:46 UTC
Is it possible to bind '\$' for a query occurring during run-time and
then use it in the rules? With the following, I want to allow only root
and the current process to read its /proc/\$/mem. Is something
like this possible with caitsith?
Such binding is not possible, but "/proc/self" is represented as "proc:/self"then use it in the rules? With the following, I want to allow only root
and the current process to read its /proc/\$/mem. Is something
like this possible with caitsith?
rather than "proc:/\$". Thus,
10 acl read /proc/\$/mem
1 allow task.euid=0
10 allow task.pid=\$
100 deny
I think you want something like below.1 allow task.euid=0
10 allow task.pid=\$
100 deny
10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem"
audit 0
10 allow path="proc:/self/mem"
20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0
30 deny
This example checks filesystem magic before checking pathnames
so that the kernel does not need to evaluate "proc:/\*/mem" for
pathnames not in proc filesystem.