[apparmor] [PATCH] apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
Seth Arnold
seth.arnold at canonical.com
Fri Nov 6 20:34:38 UTC 2015
On Fri, Nov 06, 2015 at 03:17:30PM -0500, Jeff Mahoney wrote:
> While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
> on another task. The only other example of a AppArmor mediating access to
> another, already running, task (ignoring fork+exec) is ptrace.
>
> The AppArmor model for ptrace is that one of the following must be true:
> 1) The tracer is unconfined
> 2) The tracer is in complain mode
> 3) The tracer and tracee are confined by the same profile
> 4) The tracer is confined but has SYS_CAP_PTRACE
Thanks Jeff, this is going to take some time to think about.
I wonder though, and I thought I'd just ask since you're already thinking
about this, is your problem not solved by the 'ptrace' permissions in
profiles? One odd twist is that if both processes are confined with
different profiles that one profile needs to allow ptracing and the other
needs to allow being ptraced.
That'd look something like:
profile a {
ptrace trace peer=b,
}
profile b {
ptrace tracedby peer=a,
}
Of course your use may need the 'read' and 'readby' rules instead.
<abstractions/base> includes rules to allow all processes to be readby and
tracedby all other processes (otherwise even unconfined root processes
couldn't strace confined processes, etc..) -- so the second half of the
permissions shouldn't be needed in most actual uses, but special
circumstances may require it.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151106/ca1ec9af/attachment.pgp>
More information about the AppArmor
mailing list