Apparmor: fills up log with denied ptrace messages

morph027

Renowned Member
Mar 22, 2013
451
63
93
Leipzig
morph027.gitlab.io
My log now gets filled up with messages like this:

Code:
Jan 08 08:17:54 itchy kernel: audit: type=1400 audit(1452237474.036:1468): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19654 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:17:59 itchy kernel: audit: type=1400 audit(1452237479.028:1469): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19748 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:04 itchy kernel: audit: type=1400 audit(1452237484.032:1470): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=19957 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:09 itchy kernel: audit: type=1400 audit(1452237489.043:1471): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20056 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:14 itchy kernel: audit: type=1400 audit(1452237494.027:1472): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20084 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:19 itchy kernel: audit: type=1400 audit(1452237499.031:1473): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20181 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:24 itchy kernel: audit: type=1400 audit(1452237504.035:1474): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20230 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:29 itchy kernel: audit: type=1400 audit(1452237509.027:1475): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20325 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:34 itchy kernel: audit: type=1400 audit(1452237514.031:1476): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20383 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:39 itchy kernel: audit: type=1400 audit(1452237519.030:1477): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20676 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:44 itchy kernel: audit: type=1400 audit(1452237524.022:1478): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20707 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
Jan 08 08:18:49 itchy kernel: audit: type=1400 audit(1452237529.058:1479): apparmor="DENIED" operation="ptrace" profile="lxc-container-default" pid=20905 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"

This is caused by our monitoring (check_mk) ... However, the same message appears when doing ps inside a lxc container manually.

I've added this to /etc/apparmor.d/lxc/lxc-default

Code:
ptrace peer=@{profile_name},

followed by an /etc/init.d/apparmor reload which made the errors disapper.

Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  ptrace peer=@{profile_name},
}
 
Last edited:
  • Like
Reactions: nixmomo