[Apparmor-general] auditd logs allowed actions
Seth Arnold
seth.arnold at suse.de
Wed Jan 31 18:38:32 MST 2007
On Thu, Feb 01, 2007 at 12:48:20AM +0100, Christian Boltz wrote:
> It seems auditd logs actions that are already allowed in the profile.
> Or aa-logprof just thinks that it is already allowed in the profile...
>
> The logfile is flooded with lots of messages:
> type=APPARMOR msg=audit(1170284111.841:2552): REJECTING access to
> syscall 'ptrace' (lsof(5506) profile /usr/sbin/fou4s
> active /usr/sbin/fou4s)
ptrace is special; we disallow a confined process from doing anything
with ptrace. (Well, I can easily read in the code that we forbid a
process to be on the 'controlling' end of ptrace -- a process that is
confined can of course be traced.)
The only thing you could do for this profile is give lsof unconfined
execute privilege. Be sure to use Ux to clean the environment..
A confined process that can ptrace ability can control e.g. an
unconfined process or a process in a different profile, or even a
process in the same profile but with different open filedescriptors to
unmanaged filedescriptors, to perform operations that it wouldn't be
allowed to do on its own.
We have discussed creating a more flexible approach to ptrace that
would allow partial access to ptracing programs. (Say, allow ptracing
same-profile, or named-profiles, and so forth.) But figuring this out has
taken a back seat to getting AppArmor into the mainline kernel. Sorry.
Thanks Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070131/ab54f2d9/attachment.pgp
More information about the Apparmor-general
mailing list