[Apparmor-dev] AppArmor and capabilities?
John Johansen
jjohansen at suse.de
Mon Nov 12 10:51:55 MST 2007
On Mon, Nov 12, 2007 at 02:09:25PM +0200, Markku Savela wrote:
>
> AppArmor profile has "capability" entry. I assume these "capability"
> entries only limit the capabilities of the confined process already
> would had anyway. They cannot be used to grant a new increased
> capability for the confined process. Right?
>
correct
> I'm just wondering, because doing capabilities on linux would need
> some place to store the increased capabilities for the executable. An
> executable based profile, like AppArmor profile would be a logical
> place.
>
> Putting capability on every file descriptor (file attributes) seems
> waste, as they would only be meaningfull for executables (I count
> script files as executables too).
>
> Or, am I totally misguided here...?
>
Yes the extra information could be stored in a profile. The fs caps
project uses a files extended attributes to store the information
but the attributes are only set on binaries that need it (previously
suid). Fscaps then will set the executables capability mask when
the program is started.
> Perhaps someone needs to make trivial profile system like AppArmor for
> executables, and implement only capability granting there?
>
It has been considered and even prototyped, it could even be included
in the future depending on community feedback. The larger question
is if this is a feature that really belongs in AppArmor, and whether
we wouldn't just be better off stacking with the fscaps project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20071112/069fd6c2/attachment.pgp
More information about the Apparmor-dev
mailing list