[lxc-users] apparmor kernel log entries

Mark Chaney mail at lists.macscr.com
Wed Dec 30 21:44:25 UTC 2015


Well I have the check_mk monitoring agent running on every container and 
on the host. Any chance some details steps could be given to allow 
ptrace to run on the containers? They are already privileged if that 
makes any difference.

On 2015-12-28 17:58, Serge Hallyn wrote:
> Quoting Mark Chaney (mail at lists.macscr.com):
>> any suggestions for resolving this warning/error i keep getting on
>> my lxc host (ubuntu 14.04 lts). All my guests are privileged. I have
>> no idea what container is even sparking the log entry.
>> 
>> Dec 22 11:39:04 backup kernel: [498830.030751] type=1400
>> audit(1450805944.611:17688): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=7448 comm="lsof"
>> requested_mask="read" denied_mask="read" peer="unconfined"
>> Dec 22 11:41:22 backup kernel: [498967.665959] type=1400
>> audit(1450806082.172:17737): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=13992 comm="ps"
>> requested_mask="trace" denied_mask="trace" peer="unconfined"
>> Dec 22 11:43:29 backup kernel: [499094.819757] type=1400
>> audit(1450806209.256:17753): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=18458 comm="ps"
>> requested_mask="trace" denied_mask="trace" peer="unconfined"
>> Dec 22 11:45:22 backup kernel: [499207.838369] type=1400
>> audit(1450806322.216:17754): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=20840 comm="ps"
>> requested_mask="trace" denied_mask="trace" peer="unconfined"
>> Dec 22 11:45:22 backup kernel: [499207.839167] type=1400
>> audit(1450806322.216:17757): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=20840 comm="ps"
>> requested_mask="trace" denied_mask="trace" peer="unconfined"
>> Dec 22 11:51:22 backup kernel: [499568.111011] type=1400
>> audit(1450806682.289:17789): apparmor="DENIED" operation="ptrace"
>> profile="lxc-container-default" pid=2115 comm="ps"
>> requested_mask="trace" denied_mask="trace" peer="unconfined"
> 
> It looks to me like you have a task in the container doing ps or lsof
> while it is able to see a host task.  This can happen for instance
> while a host task is in the middle of transitioning into a
> container (i.e. lxc-attach).  The 'ptrace' check is used for several
> types of checks (not just the ptrace syscall).  I'm not sure why you
> have so many of these, but it is correct for the container task to
> not be allowed ptrace access to something unconfined.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list