[apparmor] capability ptrace not honored?
John Johansen
john.johansen at canonical.com
Mon Oct 16 19:24:51 UTC 2017
On 10/16/2017 12:05 PM, Malte Gell wrote:
> Hello,
>
> in a profile I have the following rule:
>
> capability sys_ptrace,
>
> But I still get this error message:
>
> Profile: /usr/bin/foobar
> Operation: ptrace
> Denied: trace
> Logfile: /var/log/audit/audit.log
> (473 found, most recent from 'Mon Oct 16 20:57:56 2017')
>
> Why doesn´t capability sys_ptrace, not work here?
> Thanks!
>
you haven't given us enough information to answer this question. There are some possibilities.
In particular the full log message of the denial would be helpful, along with a kernel version
and which version of the userspace.
I assume the capability is in your /usr/bin/foobar profile
First up was this profile loaded without the capability permission and the reloaded with it
added? If so does it work after a clean restart of the application/service?
- If so this would indicate a replacement bug.
Are you running a 4.13 or newer kernel?
And are you using an apparmor 2.9 later userspace. (apparmor_parser -V)
And is your system configured to compile policy to all supported features,
instead of being pinned to a specific feature set?
Then capability sys_ptrace, is not sufficient and you will need to include
ptrace rules. Or you could pin policy to an older feature set.
If all the above is true and you have ptrace rules. Does the target profile
being traced have the appropriate rules to allow being ptraced by the subject?
Ptrace mediation requires both the subject and target profiles are consistent
in what is allowed.
More information about the AppArmor
mailing list