On 12/31/2016 04:37 AM, daniel curtis wrote: > > Hello > > I've created a bug report, on Lauchpad, related to a netstat(8) and ptrace > problems. I hope, that it will help to solve this issue, because there are > still DENIED messages in log files. Everything is described in a report. > > https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1653347 > > Best regards. > > The denial messages like target=B00280F4B00280F
are caused by a kernel bug, in reporting the the profile name of the target of the ptrace. In general ptrace operations are controlled by both capability and ptrace rules. This is because within the kernel ptrace calls in to the capability code, and hence the capability hook without the security system having context of the reasons (semantics) for the capability request. So you will need the capability rule. Yes, netstat will also need a file rule like you described as it will walk parts of the proc filesystem as that is how it obtains information about the network connection. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
