The denial messages like target=B00280F4B00280F are caused by a kernel bug, in reporting the the profile name of the target of the ptrace.
In general ptrace operations are controlled by both capability and ptrace rules. This is because within the kernel ptrace calls in to the capability code, and hence the capability hook without the security system having context of the reasons (semantics) for the capability request. So you will need the capability rule. Yes, netstat will also need a file rule like you described as it will walk parts of the proc filesystem as that is how it obtains information about the network connection. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1653347 Title: [profile] netstat(8): ptrace and many DENIED messages (target=*). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1653347/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs