[apparmor] Apparmor: Query

[Murali Selvaraj]

Hi All,

I have successfully set up the apparmor in my Linux machine.

Requirement:

- Trying to find the list of capabilities needed for this below code which
runs in "unprivileged" mode [ nobody user ]
- The below code while executes, permission denied for write operation and
killing init process
cat /tmp/kill.sh
#!/bin/sh
echo "Exploring apparmor"
while [ 1 ]
do
cat /nvram/foo
echo "TEST" > /nvram/foo    => This operation won't be successful due to
permission issue.
killall root_process        =>  This operation won't be successful due to
permission issue.
sleep 5
done

ls -ltr /nvram/foo
-rw-r--r--    1 root     root             0 Aug  1 22:23 /nvram/foo

~# /tmp/kill.sh
~# su nobody
nobody@:/home/root$
nobody@/home/root$
nobody@:/home/root$
nobody@:/home/root$ /tmp/kill.sh &
[1] 18981
nobody@:/home/root$ Exploring apparmor
/tmp/kill.sh: line 6: /nvram/foo: Permission denied
killall: can't kill pid 4404: Operation not permitted


Analysis:

While running this process (complain) mode in apparmor, I assume the
required capabilities will be apparmor event logs.

Please note that, the process runs in "unprivileged (nobody) user.

For write operation while the process is running in nobody user mode, it
needs CAP_DAC_OVERRIDE capability to complete the write operation.

For kill operation, while the process is running in nobody user mode, it
needs CAP_KILL capability to complete the kill operation.


Query 1:

- But I do not see CAP_DAC_OVERRIDE and CAP_KILL in apparmor event logs.

Query 2:

- How apparmor identities how many capabilities are needed for the process?

Query 3:

- Does all system calls need capability when it runs in a non-root process,
how does apparmor mapping the linux capabilities?

Can someone please clarify these queries?

Thankx
Murali.S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200803/13cc0d23/attachment.html>