Comment 27 for bug 1298611

Ken,

The ptrace mediation in 12.04 LTS is very rudimentary; if you add capability sys_ptrace, to a profile then processes running in that profile are allowed to trace any process the discretionary access controls allow. The fine-grained permissions introduced in 14.04 LTS require both the new kernel and userspace.

I tested that the apparmor 2.7.102-0ubuntu3.10 package with the linux-generic-lts-trusty 3.13.0.49.43 package will allow ptrace using the capability sys_ptrace, permission via a strace profile:

# cat usr.bin.strace
# Last Modified: Sat Apr 11 03:38:35 2015
#include <tunables/global>

/usr/bin/strace {
  #include <abstractions/base>

  capability sys_ptrace,

  /bin/ls rix,
  /home/*/ r,
  /proc/filesystems r,
  /usr/bin/strace mr,

}

I tested both strace /bin/ls and strace -p 1.

Thanks