<div dir="ltr">Hi All, I have successfully set up the apparmor in my Linux machine. Requirement: - Trying to find the list of capabilities needed for this below code which runs in "unprivileged" mode [ nobody user ] - The below code while executes, permission denied for write operation and killing init process cat /tmp/kill.sh #!/bin/sh echo "Exploring apparmor" while [ 1 ] do cat /nvram/foo echo "TEST" > /nvram/foo => This operation won't be successful due to permission issue. killall root_process => This operation won't be successful due to permission issue. sleep 5 done ls -ltr /nvram/foo -rw-r--r-- 1 root root 0 Aug 1 22:23 /nvram/foo ~# /tmp/kill.sh ~# su nobody nobody@:/home/root$ nobody@/home/root$ nobody@:/home/root$ nobody@:/home/root$ /tmp/kill.sh & [1] 18981 nobody@:/home/root$ Exploring apparmor /tmp/kill.sh: line 6: /nvram/foo: Permission denied killall: can't kill pid 4404: Operation not permitted Analysis: While running this process (complain) mode in apparmor, I assume the required capabilities will be apparmor event logs. Please note that, the process runs in "unprivileged (nobody) user. For write operation while the process is running in nobody user mode, it needs CAP_DAC_OVERRIDE capability to complete the write operation. For kill operation, while the process is running in nobody user mode, it needs CAP_KILL capability to complete the kill operation. Query 1: - But I do not see CAP_DAC_OVERRIDE and CAP_KILL in apparmor event logs. Query 2: - How apparmor identities how many capabilities are needed for the process? Query 3: - Does all system calls need capability when it runs in a non-root process, how does apparmor mapping the linux capabilities? Can someone please clarify these queries?<div> </div><div>Thankx</div><div>Murali.S </div></div>