[lxc-users] apparmor kernel log entries

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jan 6 04:36:49 UTC 2016


Wait - are you saying you want tasks in the container to be able to
ptrace tasks on the host?

Quoting Mark Chaney (mail at lists.macscr.com):
> Well I have the check_mk monitoring agent running on every container
> and on the host. Any chance some details steps could be given to
> allow ptrace to run on the containers? They are already privileged
> if that makes any difference.
> 
> On 2015-12-28 17:58, Serge Hallyn wrote:
> >Quoting Mark Chaney (mail at lists.macscr.com):
> >>any suggestions for resolving this warning/error i keep getting on
> >>my lxc host (ubuntu 14.04 lts). All my guests are privileged. I have
> >>no idea what container is even sparking the log entry.
> >>
> >>Dec 22 11:39:04 backup kernel: [498830.030751] type=1400
> >>audit(1450805944.611:17688): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=7448 comm="lsof"
> >>requested_mask="read" denied_mask="read" peer="unconfined"
> >>Dec 22 11:41:22 backup kernel: [498967.665959] type=1400
> >>audit(1450806082.172:17737): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=13992 comm="ps"
> >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> >>Dec 22 11:43:29 backup kernel: [499094.819757] type=1400
> >>audit(1450806209.256:17753): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=18458 comm="ps"
> >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> >>Dec 22 11:45:22 backup kernel: [499207.838369] type=1400
> >>audit(1450806322.216:17754): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=20840 comm="ps"
> >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> >>Dec 22 11:45:22 backup kernel: [499207.839167] type=1400
> >>audit(1450806322.216:17757): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=20840 comm="ps"
> >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> >>Dec 22 11:51:22 backup kernel: [499568.111011] type=1400
> >>audit(1450806682.289:17789): apparmor="DENIED" operation="ptrace"
> >>profile="lxc-container-default" pid=2115 comm="ps"
> >>requested_mask="trace" denied_mask="trace" peer="unconfined"
> >
> >It looks to me like you have a task in the container doing ps or lsof
> >while it is able to see a host task.  This can happen for instance
> >while a host task is in the middle of transitioning into a
> >container (i.e. lxc-attach).  The 'ptrace' check is used for several
> >types of checks (not just the ptrace syscall).  I'm not sure why you
> >have so many of these, but it is correct for the container task to
> >not be allowed ptrace access to something unconfined.
> >_______________________________________________
> >lxc-users mailing list
> >lxc-users at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list