[network-manager] apparmor denails occur when using dbus api
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snappy-hwe-snaps |
Fix Released
|
Medium
|
Alfonso Sanchez-Beato |
Bug Description
When using the `network-manager` D-Bus api, some nuisance apparmor denials are occurring. It seems like `network-manager` is trying to get process information about the snap making the request though I am not sure why:
Oct 10 17:57:45 localhost audit[1832]: AVC apparmor="DENIED" operation="ptrace" profile=
Oct 10 17:57:45 localhost kernel: audit: type=1400 audit(153919426
Oct 10 17:57:45 localhost audit[1832]: AVC apparmor="DENIED" operation="ptrace" profile=
Oct 10 17:57:45 localhost kernel: audit: type=1400 audit(153919426
Note: I changed the above hostname to localhost and redacted the peer snap name since this is part of our company's infrastructure.
Changed in snappy-hwe-snaps: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
description: | updated |
Changed in snappy-hwe-snaps: | |
status: | In Progress → Fix Released |
The ptrace denials are a known issue, and were in fact noted as harmless in bug #1602383. We've done a code inspection of NetworkManager itself, and found no usage of ptrace. Likewise an informal review of all NM dependencies was done, and the offending code wasn't located. This was also re-visited recently during development of the NM 1.10 snap, and the only usage of ptrace found in any of NM's dependencies was in libc6 itself, so ptrace may being called indirectly via libc6.
I've set the priority to Medium as there've been no functional side-effects observed due to these denials to-date.