[apparmor] Apparmor profile: mount/umount issue [ non-root application ]
Murali Selvaraj
murali.selvaraj2003 at gmail.com
Fri Jul 23 11:37:23 UTC 2021
Hi All,
I have created an apparmor profile for the process which does
mount/umount based on certain conditions.
The process is running as a "non-root" user with limited Linux Capabilities.
As per (man 7 capabilities) CAP_SYS_ADMIN is required for mount and
unmount operations.
While the process runs as enforce mode, I am observing the mount issue
saying that "must be a superuser to mount '' and
"must be superuser to unmount" for mount and unmount operations.
My operating system runs on util-linux.
Query:
-> Since we have required CAPs CAP_SYS_ADMIN in the profile and it
applied to the process as well but still observing
that mount and unmount fails [ "must be superuser to mount" and
"must be superuser to unmount" ].
-> Does mount/umount restriction is done by util-linux package? As per
our understanding CAP_SYS_ADMIN (capable) check
would be taken care of in Kernel code. It looks like user space
(util-linux package) restricts this permission issue.
Please clarify my understanding.
-> What would be ideal options to resolve the issue ( "non-root" user
does mount/umount operation ).
Thanks
Murali.S
More information about the AppArmor
mailing list