[pkg-apparmor] Bug#1003153: Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
Christian Boltz
debian-bugs at cboltz.de
Wed Jan 5 12:24:59 GMT 2022
Hello,
Am Mittwoch, 5. Januar 2022, 03:31:40 CET schrieb Craig Small:
> audit: type=1400 audit(1641349042.460:2559): apparmor="DENIED"
> operation="ptrace" profile="apache2//HANDLING_UNTRUSTED_INPUT"
> pid=2792993 comm="ss" requested_mask="readby" denied_mask="readby"
> peer="/bin/ss"
>
> So ss is doing a ptrace on all the network listeners. The odd thing is
> that apache is the only one to complain about this even though other
> daemons listed have their own apparmor profiles.
That's not really odd ;-)
abstractions/base has
ptrace (readby),
ptrace (tracedby),
so all profiles that include abstractions/base can be ptraced.
However, what you see happens in the HANDLING_UNTRUSTED_INPUT hat (this
hat is used when Apache processes are idle) - and Apache hats typically
don't include abstractions/base.
(Nevertheless, the apache hats should allow to be ptraced. I'll leave
that to the maintainer of the Apache profile in Debian - and would love
to see the fix upstreamed.)
Regards,
Christian Boltz
--
<pjessen> okay. when can we have the next power outage,
for testing purposes ?
[from #opensuse-admin]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20220105/fffef4d0/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list