[apparmor] [profile] netstat(8): problems with '-p', '-program' option. Solved?
daniel curtis
sidetripping at gmail.com
Wed May 10 14:35:50 UTC 2017
Hello Mr Johansen
Thank You very much for a exhaustive answer. Now, I understand this issue
more. However, You wrote:
>> Unfortunately these policy rules are not compatible with
>> the version of apparmor in 12.04, unless you update 12.04
>> to a new apparmor userspace that can support them (...)
I'm using 16.04 LTS Release since 12.04 LTS has EoL status.
Unless, we are talking about the Extended Security Maintenance, offered by
Canonical as an ongoing security patches and bug fixes for the kernel and
the most essential user space packages in Ubuntu 12.04 etc. But it's a
private archive exclusively available to Ubuntu Advantage customers. So,
not in my case.
>> yep, this is what you need. Though I will note you might want
>> something a little different due to the reason for many of
>> these ptrace permission requests.
So, according to all above and your answer; could/should I use these two
rules together in netstat(8) profile? I mean of course these rules;
deny capability sys_ptrace,
deny ptrace,
I'm soory for such naive question, but You wrote something
interesting; "Denying
all these requests can result in the netstat tool not functioning correctly
as it can not gather all the information it needs. I would do some
comparisons of its output for your uses cases (...)"
I agree with You, but now I have some doubts whether I can use these two
rules mentioned earlier? Could You answer simply: yes or not?
Thanks, best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170510/d81fbbbf/attachment.html>
More information about the AppArmor
mailing list