[apparmor] capability ptrace not honored?

Christian Boltz apparmor at cboltz.de
Mon Oct 16 19:36:18 UTC 2017 

Hello,

Am Montag, 16. Oktober 2017, 21:05:16 CEST schrieb Malte Gell:
> in a profile I have the following rule:
> 
> capability sys_ptrace,
> 
> But I still get this error message:
> 
> Profile: /usr/bin/foobar
> Operation: ptrace
> Denied: trace
> Logfile: /var/log/audit/audit.log
> (473 found, most recent from 'Mon Oct 16 20:57:56 2017')
> 
> Why doesn´t capability sys_ptrace, not work here?
> Thanks!

AFAIK you use openSUSE Tumbleweed, so you probably have Kernel 4.13.x.

With Kernel 4.13, support for the "ptrace" rule type was added (actually 
upstreamed - Ubuntu carried this patch since years). Support for network 
rules was also upstreamed - but since openSUSE carried (an old version 
of) that patch since years, that's nothing really new for you.

Based on what you quoted in your mail, you'll need a rule like
    ptrace trace,
but the audit.log probably contains more details so that you can add 
conditions like
    ptrace trace peer=/usr/bin/foo,

The easiest way is to use aa-logprof - it already supports ptrace rules 
and will propose a matching, as-strict-as-possible rule.

Oh, BTW: if this affects a profile shipped in Tumbleweed, please open a 
bugreport with the needed changes.


FYI: Kernel 4.14 supports some more rule types (mount/umount, signal, 
pivot_root). The first profile patches are already in Tumbleweed, and I 
expect some more profile updates before 4.14 enters Tumbleweed. 
(I use 4.14 since rc2 from the KOTD repo, which helps a lot to find out 
what needs to be done ;-)

Finally, 4.15 [1] will support two more rule types - dbus and unix. And 
with that, the patches that were betatested ;-) by Ubuntu users since 
years will finally be upstreamed :-)

(John, if I mixed up any version number, please correct me ;-)

aa-logprof already supports most of the new rule types, with the 
exception of mount, pivot_root and unix rules. Support for unix rules is 
near the top of my TODO list, so it should be available soon[tm] ;-)
mount and pivot_root are more rare, which also means adding full support 
for them in aa-logprof isn't my top priority.


Regards,

Christian Boltz

[1] assuming the upstreaming works as planned
-- 
We break the translation consistently (wow, consistent break, I like
that wording) [from https://bugzilla.novell.com/show_bug.cgi?id=165509]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171016/67b36168/attachment.sig>

More information about the AppArmor mailing list