[Apparmor-dev] Confining the "kill" capability?
Markku Savela
msa at moth.iki.fi
Tue Nov 27 01:18:19 MST 2007
The capability check for CAP_KILL is only checked when a process
attempts to kill a process belonging to another user (the LSM hook is
not even called otherwise). [or perhaps this only special effect of
root user, I have not analyzed the code too closely yet]
I was xperimenting with idea: can AppArmor contain a root shell? So I
just made a profile for "tcsh", with following lines
/** mixr,
/root/ rw,
/root/** rw,
as far as file system is concerned, above works very nice, but
containment "fails" in major way with "kill" -- the shell can kill all
root owned processes.
The "fails" in quotes, because I assume that it works as
intended. However, it would be nice to be able to prevent a process
killing other processes, even if they are run under same user (I would
not like a bug in firefox cause some malware to be able to kill all of
my other processes).
AppArmor does not currently implement the hook "task_kill". A quick
fix would be just to add this and check for CAP_KILL. This would of
course be a slight change in CAP_KILL capability semantics, when
AppArmor is running (instead of being capability to kill any process
of any user, it would be a required capability to kill any other
process, except self).
Another approach would require extending the profile syntax with some
construct that indicates capability to kill other processes of the
same user.
More information about the Apparmor-dev
mailing list