Understand AppArmor DENIED message

Hi there,

A quick question on the below Apparmor message. Is it that dockerd denied read access from SERVICE.APP or vice versa?
AVC apparmor=“DENIED” operation=“ptrace” profile=“snap.docker.dockerd” pid=935 comm=“ps” requested_mask=“read” denied_mask=“read” peer=“snap.SERVICE.APP”


Identifies the process that triggered the denial, pid 935, argv[0] is ps, executing with profile snap.dockerd.docker

Identifies the resource/object (sort of). Since it’s ptrace, then the relevant object is another process. That other process had a label snap.SERVICE.APP, so most likely it was an application form a snap. If that were a regular non snap process, then the peer would be unconfined (unless it had a profile of its own, eg. like smbd).

1 Like