[apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

John Johansen john.johansen at canonical.com
Sat Dec 31 20:46:25 UTC 2016

On 12/31/2016 04:37 AM, daniel curtis wrote:
> Hello
> I've created a bug report, on Lauchpad, related to a netstat(8) and ptrace problems. I hope, that it will help to solve this issue, because there are still DENIED messages in log files. Everything is described in a report.
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1653347
> Best regards.
The denial messages like

are caused by a kernel bug, in reporting the the profile name of the target of the ptrace.

In general ptrace operations are controlled by both capability and ptrace rules. This is because within the kernel ptrace calls in to the capability code, and hence the capability hook without the security system having context of the reasons (semantics) for the capability request. So you will need the capability rule.

Yes, netstat will also need a file rule like you described as it will walk parts of the proc filesystem as that is how it obtains information about the network connection.

More information about the AppArmor mailing list