Essentially the check iterates over all /proc/<numeric>
And there it does readlink to check if any has the target open.
In my example if any FD is a link to /dev/ttyUSB0
But this already is "graceful" the apparmor deny to
readlink(fdpath, linkpath, sizeof(linkpath)
is
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=29314 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined"
for path
/proc/1/fd/2
The retval then is -1 and and that makes it continue, which would not increase "cnt" of the pids that have it opened. So keeping that blocked should not break function at all.
And usually this has in dmesg something like
[52111.940870] kauditd_printk_skb: 153 callbacks suppressed
I checked and we can functionally go on with
# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,
Essentially the check iterates over all /proc/<numeric>
And there it does readlink to check if any has the target open.
In my example if any FD is a link to /dev/ttyUSB0
But this already is "graceful" the apparmor deny to "/usr/sbin/ gpsd" pid=29314 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined"
readlink(fdpath, linkpath, sizeof(linkpath)
is
apparmor="DENIED" operation="ptrace" profile=
for path
/proc/1/fd/2
The retval then is -1 and and that makes it continue, which would not increase "cnt" of the pids that have it opened. So keeping that blocked should not break function at all.
And usually this has in dmesg something like
[52111.940870] kauditd_printk_skb: 153 callbacks suppressed
I checked and we can functionally go on with
# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,