https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c21 --- Comment #21 from Danish Prakash <danish.prakash@suse.com> --- Created attachment 874006 --> https://bugzilla.suse.com/attachment.cgi?id=874006&action=edit audit log passt ptrace (In reply to Christian Boltz from comment #18)

From the patch:

...

+++ b/contrib/apparmor/usr.bin.pasta + ptrace,

Just wondering - does pasta really need to trace everything, and be traced by everything - or could you make the rule more specific?

If you are unsure, please show the audit.log events for ptrace.

I've attached a snippet from `ausearch` which led me to add ptrace to the profile, I haven't explored this further I must admit. (In reply to Stefano Brivio from comment #20)

Thanks, it looks good to me, but I haven't looked yet into how to possibly restricting the 'ptrace' rule as suggested by Christian in comment #18.

I can probably manage to look into it later today if you don't. Once that's solved, yes, I would apply this upstream. Just to confirm: you're testing with this patch on top of mine from comment #12, correct?

Yes, it's on top of your patch from comment #13 and the changes I made to the package i.e. overriding symlinks with hardlinks. -- You are receiving this mail because: You are on the CC list for the bug.