[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

John Johansen john.johansen at canonical.com
Wed Dec 7 20:26:40 UTC 2016

On 12/07/2016 10:35 AM, Steve Beattie wrote:
> On Tue, Dec 06, 2016 at 12:16:43PM -0800, John Johansen wrote:
>> On 12/06/2016 07:14 AM, daniel curtis wrote:
>>> Please forgive me, writing message one by one, but I think, that maybe 'deny capability sys_ptrace,' is responsible for such entries? I'm asking, because of operation="ptrace", which can be found in a log files etc.
>>> What do you think? Once again - I'm sorry.
>> no, capability sys_ptrace, isn't responsible for this entry, it is
>> squarely on ptrace rules, more specifically no one rule is causing this
>> it looks like a kernel bug in the enforcement or logging of ptrace rules
> While that may be the intent, and the Ubuntu 12.04 LTS kernel might be
> buggy about this, I reproduced what daniel is seeing, and converting
> the 'deny capability sys_ptrace,' to allowing the sys_ptrace capability
> made the rejections go away, as well as allowed netstat's -p argument
> to work. Attempts to add a ptrace rule instead did not succeed.
dependent on the target the capability may be needed in addition
to ptrace rules.  ptrace rules will provide control for ptrace between
a users tasks but ptrace of another users tasks will require both
ptrace and capability rules.

The denial danial encounter was definitely in the ptrace code. I will
look into it more soon

More information about the AppArmor mailing list