[pkg-apparmor] Bug#1003153: Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run
Craig Small
csmall at debian.org
Wed Jan 5 21:28:10 GMT 2022
On 2022-01-05 at 12:24, debian-bugs at cboltz.de wrote:
> so all profiles that include abstractions/base can be ptraced.
>
> However, what you see happens in the HANDLING_UNTRUSTED_INPUT hat (this
> hat is used when Apache processes are idle) - and Apache hats typically
> don't include abstractions/base.
Ah ha, that's what doing it. Thanks for the explanation.
> (Nevertheless, the apache hats should allow to be ptraced. I'll leave
> that to the maintainer of the Apache profile in Debian - and would love
> to see the fix upstreamed.)
I suppose all of the hats should have some line for this. I suspect it
is possible to ptrace apache when in the non-idle hat; my webserver is
just not very busy.
- Craig
More information about the pkg-apparmor-team
mailing list