[apparmor] [profile] netstat(8): problems with '-p', '-program' option. Solved?
Seth Arnold
seth.arnold at canonical.com
Wed May 10 19:29:21 UTC 2017
On Wed, May 10, 2017 at 02:30:06AM -0700, John Johansen wrote:
> > [ 4713.703343] audit: type=1400 audit(1494266957.842:3148):
> > apparmor="DENIED" operation="capable" profile="/bin/netstat" pid=4267
> > comm="netstat" capability=19 capname="sys_ptrace"
> in your profile but it might be acceptable to do
>
> allow ptrace read,
>
> or if you know the peers it should be limited to
> allow ptrace read peer=some_peer_expr,
>
> using read will block the ptrace request to just reading info, and not
> allow the full ptrace which allows modifying a task.
Because this is netstat, you probably want the wide version:
allow ptrace read,
because you want netstat to give you full details about your system.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170510/75e1bb9c/attachment.pgp>
More information about the AppArmor
mailing list