[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
Seth Arnold
1298611 at bugs.launchpad.net
Sat Apr 11 03:45:15 UTC 2015
Ken,
The ptrace mediation in 12.04 LTS is very rudimentary; if you add
capability sys_ptrace, to a profile then processes running in that
profile are allowed to trace any process the discretionary access
controls allow. The fine-grained permissions introduced in 14.04 LTS
require both the new kernel and userspace.
I tested that the apparmor 2.7.102-0ubuntu3.10 package with the linux-
generic-lts-trusty 3.13.0.49.43 package will allow ptrace using the
capability sys_ptrace, permission via a strace profile:
# cat usr.bin.strace
# Last Modified: Sat Apr 11 03:38:35 2015
#include <tunables/global>
/usr/bin/strace {
#include <abstractions/base>
capability sys_ptrace,
/bin/ls rix,
/home/*/ r,
/proc/filesystems r,
/usr/bin/strace mr,
}
I tested both strace /bin/ls and strace -p 1.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions
More information about the Ubuntu-server-bugs
mailing list