Essentially the check iterates over all /proc/<numeric> And there it does readlink to check if any has the target open. In my example if any FD is a link to /dev/ttyUSB0
But this already is "graceful" the apparmor deny to readlink(fdpath, linkpath, sizeof(linkpath) is apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=29314 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" for path /proc/1/fd/2 The retval then is -1 and and that makes it continue, which would not increase "cnt" of the pids that have it opened. So keeping that blocked should not break function at all. And usually this has in dmesg something like [52111.940870] kauditd_printk_skb: 153 callbacks suppressed I checked and we can functionally go on with # triggered on fusercount, not strictly required and unsafe to allow # adding a denial rule silences the warnings deny ptrace read peer=unconfined, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872175 Title: gpsd unable to open chrony PPS socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1872175/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs