[apparmor] Apparmor profile: mount/umount issue [ non-root application ]
Seth Arnold
seth.arnold at canonical.com
Fri Jul 23 22:52:12 UTC 2021
On Fri, Jul 23, 2021 at 05:07:23PM +0530, Murali Selvaraj wrote:
> -> Since we have required CAPs CAP_SYS_ADMIN in the profile and it
> applied to the process as well but still observing
> that mount and unmount fails [ "must be superuser to mount" and
> "must be superuser to unmount" ].
How did you grant CAP_SYS_ADMIN to the process?
> -> Does mount/umount restriction is done by util-linux package? As per
> our understanding CAP_SYS_ADMIN (capable) check
> would be taken care of in Kernel code. It looks like user space
> (util-linux package) restricts this permission issue.
> Please clarify my understanding.
No, mount(8) is simply reporting the error message from the mount(2)
system call.
> -> What would be ideal options to resolve the issue ( "non-root" user
> does mount/umount operation ).
If you didn't get any DENIED entries from AppArmor in your logs, then I
suspect that your process didn't actually get the CAP_SYS_ADMIN privilege
from its parent.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20210723/1560f63e/attachment.sig>
More information about the AppArmor
mailing list