On 12/31/2016 04:37 AM, daniel curtis wrote:
> 
> Hello
> 
> I've created a bug report, on Lauchpad, related to a netstat(8) and ptrace 
> problems. I hope, that it will help to solve this issue, because there are 
> still DENIED messages in log files. Everything is described in a report.
> 
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1653347
> 
> Best regards.
> 
> 
The denial messages like
  target=B00280F4B00280F

are caused by a kernel bug, in reporting the the profile name of the target of 
the ptrace.

In general ptrace operations are controlled by both capability and ptrace 
rules. This is because within the kernel ptrace calls in to the capability 
code, and hence the capability hook without the security system having context 
of the reasons (semantics) for the capability request. So you will need the 
capability rule.

Yes, netstat will also need a file rule like you described as it will walk 
parts of the proc filesystem as that is how it obtains information about the 
network connection.


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to