[Apparmor-dev] AppArmor and capabilities?
Markku Savela
msa at moth.iki.fi
Mon Nov 12 05:09:25 MST 2007
AppArmor profile has "capability" entry. I assume these "capability"
entries only limit the capabilities of the confined process already
would had anyway. They cannot be used to grant a new increased
capability for the confined process. Right?
I'm just wondering, because doing capabilities on linux would need
some place to store the increased capabilities for the executable. An
executable based profile, like AppArmor profile would be a logical
place.
Putting capability on every file descriptor (file attributes) seems
waste, as they would only be meaningfull for executables (I count
script files as executables too).
Or, am I totally misguided here...?
Perhaps someone needs to make trivial profile system like AppArmor for
executables, and implement only capability granting there?
More information about the Apparmor-dev
mailing list