Hello, Am Montag, 16. Oktober 2017, 21:05:16 CEST schrieb Malte Gell: > in a profile I have the following rule: > > capability sys_ptrace, > > But I still get this error message: > > Profile: /usr/bin/foobar > Operation: ptrace > Denied: trace > Logfile: /var/log/audit/audit.log > (473 found, most recent from 'Mon Oct 16 20:57:56 2017') > > Why doesn´t capability sys_ptrace, not work here? > Thanks!
AFAIK you use openSUSE Tumbleweed, so you probably have Kernel 4.13.x.
With Kernel 4.13, support for the "ptrace" rule type was added (actually
upstreamed - Ubuntu carried this patch since years). Support for network
rules was also upstreamed - but since openSUSE carried (an old version
of) that patch since years, that's nothing really new for you.
Based on what you quoted in your mail, you'll need a rule like
ptrace trace,
but the audit.log probably contains more details so that you can add
conditions like
ptrace trace peer=/usr/bin/foo,
The easiest way is to use aa-logprof - it already supports ptrace rules
and will propose a matching, as-strict-as-possible rule.
Oh, BTW: if this affects a profile shipped in Tumbleweed, please open a
bugreport with the needed changes.
FYI: Kernel 4.14 supports some more rule types (mount/umount, signal,
pivot_root). The first profile patches are already in Tumbleweed, and I
expect some more profile updates before 4.14 enters Tumbleweed.
(I use 4.14 since rc2 from the KOTD repo, which helps a lot to find out
what needs to be done ;-)
Finally, 4.15 [1] will support two more rule types - dbus and unix. And
with that, the patches that were betatested ;-) by Ubuntu users since
years will finally be upstreamed :-)
(John, if I mixed up any version number, please correct me ;-)
aa-logprof already supports most of the new rule types, with the
exception of mount, pivot_root and unix rules. Support for unix rules is
near the top of my TODO list, so it should be available soon[tm] ;-)
mount and pivot_root are more rare, which also means adding full support
for them in aa-logprof isn't my top priority.
Regards,
Christian Boltz
[1] assuming the upstreaming works as planned
--
We break the translation consistently (wow, consistent break, I like
that wording) [from https://bugzilla.novell.com/show_bug.cgi?id=165509]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
