[apparmor] [patch] smbd profile + smbldap-useradd
John Johansen
john.johansen at canonical.com
Wed Jan 4 20:21:45 UTC 2012
On 01/04/2012 12:09 PM, John Johansen wrote:
> On 01/04/2012 11:54 AM, Christian Boltz wrote:
>> Hello,
>>
>> Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
>>> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
>>>> + profile /etc/init.d/nscd {
>>>> + #include <abstractions/base>
>>>> + #include <abstractions/nameservice>
>>>> +
>>>> + capability sys_ptrace,
>>>
>>> I wonder why sys_ptrace keeps showing up in some of these profiles. Is
>>> this really needed?
>>
>> Good question, I only know what the audit.log says ;-)
>
> My guess is because of proc calling into ptrace_my_access instead of being
> sane and using a distinct hook, which could then call ptrace_may_access
> if those where the desired semantics.
>
btw, this will improve some once we start splitting out the ptrace permissions
More information about the AppArmor
mailing list