[apparmor] AppArmor - dac_override questions

SZIGETVÁRI János jszigetvari at gmail.com
Sun Oct 25 16:14:18 UTC 2015 

Hello Christian,

2015-10-25 0:37 GMT+02:00 Christian Boltz <apparmor at cboltz.de>:

> If I understand your mail right, you are running syslog-ng as a non-root
> user (correct?). Therefore it isn't allowed to read the root-only
> /proc/kmsg, with or without an AppArmor profile.
>
Yes, you are right. What you wrote is covering the use case I described.


> AppArmor never *adds* permissions, it only restricts them.
> This also means that a "capability dac_override," rule is only relevant
> and helpful for processes running as root [1]. Processes running as non-
> root will hit the usual Linux DAC restrictions (+ possibly additional
> restrictions by the AppArmor profile).
>
Thanks for pointing this out. I thought I could (also) add additional
capabilities/rights to user processes as well via their respective AppArmor
profiles.


> To confirm this,   chmod go+r /proc/kmsg   and try again. If it works
> afterwards, my guess was right - if not, I was wrong ;-)
>
Well, actually changing group ownership and readability solves the problem,
but then another one arises:
How could one permanently change the ownership/access rights of a file on a
pseudo filesystem? (This holds true for both the /proc/kmsg and the
/dev/xconsole files.)
The most sane solution I came across for /proc/kmsg would be to change the
syslog-ng init script to check and change the ownership and access rights
if necessary.
For /dev/xconsole, perhaps a custom udev rule would give the best results.
Anyway, this problem is out of scope for this mailing list.


Also, what you told me leads me to believe that using any capability
specifications in non-root process' profiles, would make very little sense.
Of course the possibility of additional file, and network access
restricitions, that one can impose on non-root processes with AppArmor, do
validate its usefulness for user processes as well.

All-in-all, thanks for your help!

Best regards,
János Szigetvári

-- 
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151025/7ce392e4/attachment.html>

More information about the AppArmor mailing list