Ubuntu
apparmor package

Denying capability sys_ptrace logs a denial

Bug #1273518 reported by Simon Déziel on 2014-01-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

The Apparmor profile [1] I use for Pidgin have this to deny ptrace:

deny capability sys_ptrace,

yet, when I executed the binary I get that log message:

kernel: [ 6457.580652] type=1400 audit(1390875439.197:137): apparmor="DENIED" operation="ptrace" profile="/usr/bin/pidgin" pid=7252 comm="pidgin" target=5422

It behaves as if the "audit" qualifier was used.

$ lsb_release -rd
Description: Ubuntu Trusty Tahr (development branch)
Release: 14.04
$ apt-cache policy apparmor
apparmor:
  Installed: 2.8.0-0ubuntu38
  Candidate: 2.8.0-0ubuntu38
  Version table:
*** 2.8.0-0ubuntu38 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

1: https://github.com/simondeziel/aa-profiles/blob/master/14.04/usr.bin.pidgin

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.0-0ubuntu38
ProcVersionSignature: Ubuntu 3.13.0-5.20-generic 3.13.0
Uname: Linux 3.13.0-5-generic x86_64
ApportVersion: 2.13.2-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Jan 27 21:31:31 2014
InstallationDate: Installed on 2014-01-26 (1 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140124)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-5-generic root=UUID=8d5be75f-cde0-4723-a3f4-25368b6ae4ca ro quiet splash cryptopts=target=crypt,source=/dev/sda1,lvm=crypt-root possible_cpus=4 nmi_watchdog=0 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Simon Déziel (sdeziel) wrote on 2014-01-28:

Dependencies.txt Edit (3.1 KiB, text/plain; charset="utf-8")
HookError_source_apparmor.txt Edit (743 bytes, text/plain; charset="utf-8")
ProcEnviron.txt Edit (106 bytes, text/plain; charset="utf-8")

Revision history for this message

Simon Déziel (sdeziel) wrote on 2014-05-07:

I confused "sys_ptrace" with "ptrace". Simply adding "deny ptrace," along with "deny capability sys_ptrace," makes the denial logs go away.

Changed in apparmor (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package