Re: [Bug 1320869] Re: apparmor="DENIED" operation="ptrace" profile="docker-default"

Paul Tagliamonte Tue, 07 Oct 2014 12:26:25 -0700

Feel free to send this patchset to the Debian BTS -- we can see about
adding an Ubuntu vendor switch so we don't maintain a delta.


You should also consider talking with Upstream about getting this fixed
in 1.3

Thanks for your work!

On Tue, Oct 7, 2014 at 3:05 PM, Jamie Strandboge <ja...@ubuntu.com> wrote:
> lxc-docker-1.2.0 is the upstream package. docker.io is the Ubuntu package. 
> This should be fixed in the Ubuntu packaging in 1.2.0~dfsg1-1ubuntu1:
> docker.io (1.2.0~dfsg1-1ubuntu1) utopic; urgency=medium
>
>   * debian/patches/sync-apparmor-with-lxc.patch: update AppArmor policy to
>     by in sync with LXC. Specifically this:
>     - reorganizes the rules to allow for easier comparison with other
>       container policy
>     - adds comments for many rules
>     - adds bare dbus rule
>     - adds ptrace rule to allow ptracing ourselves
>     - adds deny mount options=(ro, remount, silent) -> /
>     - allows hugetlbfs
>     - adds cgmanager mount
>     - adds /sys/fs/pstore mount
>     - more specific /sys/kernel/security mount options
>     - more specific /sys mount options
>     - more specific /proc/sys/kernel/* deny rules
>     - more specific /proc/sys/net deny rules
>     - more specific /sys/class deny rules
>     - more specific /sys/devices deny rules
>     - more specific /sys/fs deny rules
>
> Specifically:
>   # Allow us to ptrace ourselves
>   ptrace peer=@{profile_name},
>
>
> ** Changed in: docker.io (Ubuntu)
>        Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are a member of Docker
> Ubuntu Maintainers, which is subscribed to docker.io in Ubuntu.
> https://bugs.launchpad.net/bugs/1320869
>
> Title:
>   apparmor="DENIED" operation="ptrace" profile="docker-default"
>
> Status in “docker.io” package in Ubuntu:
>   Fix Released
>
> Bug description:
>   when starting  a container with -p / -P i'm starting to get many error
>   messages in the syslog which looks like this
>
>   May 19 08:25:47 localhost kernel: [916087.208505] type=1400
>   audit(1400477147.264:2353): apparmor="DENIED" operation="ptrace"
>   profile="docker-default" pid=12619 comm=706D323A20536174616E204461656D
>   requested_mask="trace" denied_mask="trace" peer="docker-default"
>
>   » lsb_release -rd
>   Description:    Ubuntu 14.04 LTS
>   Release:        14.04
>
>   » apt-cache policy docker.io
>   docker.io:
>     Installed: 0.9.1~dfsg1-2
>     Candidate: 0.9.1~dfsg1-2
>     Version table:
>    *** 0.9.1~dfsg1-2 0
>           500 http://mirror.isoc.org.il/pub/ubuntu/ trusty/universe amd64 
> Packages
>           100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions


-- 
All programmers are playwrights, and all computers are lousy actors.

#define sizeof(x) rand()
:wq

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1320869

Title:
  apparmor="DENIED" operation="ptrace" profile="docker-default"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1320869] Re: apparmor="DENIED" operation="ptrace" profile="docker-default"

Reply via email to