Apparmor: fills up log with denied ptrace messages

morph027

Well-Known Member
Mar 22, 2013
446
60
48
Leipzig
morph027.gitlab.io
My log now gets filled up with messages like this:

Code:
Jan 08 08:17:54 itchy kernel: audit: type=1400 audit(1452237474.036:1468): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19654 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:17:59 itchy kernel: audit: type=1400 audit(1452237479.028:1469): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19748 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:04 itchy kernel: audit: type=1400 audit(1452237484.032:1470): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19957 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:09 itchy kernel: audit: type=1400 audit(1452237489.043:1471): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20056 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:14 itchy kernel: audit: type=1400 audit(1452237494.027:1472): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20084 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:19 itchy kernel: audit: type=1400 audit(1452237499.031:1473): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20181 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:24 itchy kernel: audit: type=1400 audit(1452237504.035:1474): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20230 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:29 itchy kernel: audit: type=1400 audit(1452237509.027:1475): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20325 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:34 itchy kernel: audit: type=1400 audit(1452237514.031:1476): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20383 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:39 itchy kernel: audit: type=1400 audit(1452237519.030:1477): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20676 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:44 itchy kernel: audit: type=1400 audit(1452237524.022:1478): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20707 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:49 itchy kernel: audit: type=1400 audit(1452237529.058:1479): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20905 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"

This is caused by our monitoring (check_mk) ... However, the same message appears when doing ps inside a lxc container manually.

I've added this to /etc/apparmor.d/lxc/lxc-default

Code:
ptrace peer=@{profile_name},

followed by an /etc/init.d/apparmor reload which made the errors disapper.

Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  ptrace peer=@{profile_name},
}
 
Last edited:
  • Like
Reactions: nixmomo

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!