[apparmor] AppArmor and kernel capabilities
linux maillist
mailinglisten at posteo.de
Tue Sep 12 17:04:06 UTC 2017
Good day,
I run AppArmor version 2.10.2 on a kernel 4.4 system.
I creates a profile for gpg and that profile requested now the
capability dac_override.
This raises some questions to me. First, does dac_override honor the
folder permission rules within the profile? For example, if there is a
rule "/foo/** r," does dac_override this rule?
If dac_override still honors the folder rules, what then is the point to
ask for that capability?
Lastly, why is that capability requested at all?
Normally AppArmor complains if r/w to a certain file/folder is needed.
But, here a capability was requested.
Requesting dac_override does not give any hint, what file or folder is
required to access...
Would be nice if someone could give me a hint on that CAP vs AppArmor
issue :-)
More information about the AppArmor
mailing list