[profile] netstat(8): using '-p' option produces many ptrace-related DENIED entries in log files.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi
In the last days, weeks I've noticed that running netstat(8) utility via sudo(8) is responsible for many entries in various log files, such as /var/log/kern.log or /var/log/syslog. I'm using this profile [1]. There are many DENIED messages but not related with, for example, lack of some rule etc. It looks this way; run i.e. `sudo netstat -talpn/tulpn` command and check log files - there are such entries:
* /var/log/kern.log file:
Nov 30 19:12:15 t4 kernel: [12380.946835] type=1400
audit(148052953
profile=
Nov 30 19:12:15 t4 kernel: [12380.946850] type=1400
audit(148052953
profile=
Nov 30 19:12:15 t4 kernel: [12380.946859] type=1400
audit(148052953
profile=
Dec 6 15:27:11 t4 kernel: [ 816.591037] type=1400
audit(148103443
profile=
Dec 6 15:27:11 t4 kernel: [ 816.591069] type=1400
audit(148103443
profile=
Dec 6 15:27:11 t4 kernel: [ 816.591086] type=1400
audit(148103443
profile=
There are, of course, much more such entries - about 80. maybe more. As we can see the only one thing, which has changed, is "target=*" entry.
According to Mr Steve Beattie, who's reproduced above issue, "converting the 'deny capability sys_ptrace,' to allowing the sys_ptrace capability made the rejections go away, as well as allowed netstat's -p argument to work. Attempts to add a ptrace rule instead did not succeed."
Also, I've noticed that running netstat(8) as a normal user (without sudo(8) - just for a testing purposes), produced such entry in a log files:
[~]$ netstat -ta / -tunl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
/proc/net/tcp: Permission denied
* /var/log/syslog file:
Dec 31 13:19:02 t4 kernel: [ 3734.255210] type=1400 audit(148318674
As we can see, there is only one DENIED message, but this time netstat(8) was run without 'p' flag, which is responsible for above logs with many target=* entries. So, does netstat(8) profile needs also a rule related to DENIED /proc/*/net/tcp? Something like:
@{PROC}
AppArmor ver: 2.7.102-
Description: Ubuntu 12.04.5 LTS,
Release: 12.04,
Kernel: 3.2.0-120.
Best regards.
______________
[1] https:/
The denial messages like B00280F4B00280F
target=
are caused by a kernel bug, in reporting the the profile name of the target of the ptrace.
In general ptrace operations are controlled by both capability and ptrace rules. This is because within the kernel ptrace calls in to the capability code, and hence the capability hook without the security system having context of the reasons (semantics) for the capability request. So you will need the capability rule.
Yes, netstat will also need a file rule like you described as it will walk parts of the proc filesystem as that is how it obtains information about the network connection.