[Apparmor-general] Ability to allow unpriviledged user to renice
process...
Crispin Cowan
crispin at crispincowan.com
Mon Oct 1 09:30:54 MDT 2007
Pavan Callikan wrote:
> Hello all
>
> Consider this scenario:
> ======================================================================
> [wants to raise priority on a process without privilege]...
> Given this scenario - I would take it that AppArmor should be able to
> solve this issue as it mediates the POSIX capabilities of root, which is
> what the unprivileged user needs - that POSIX capability is sys_nice.
> That said, I can't seem to be able to accomplish this.
>
AppArmor is purely restrictive: it does not grant any access or
capability that you don't already have.
So, when you write a profile like the one you provided, it is saying
that if the process already *has* cap_sys_nice, it gets to keep it, and
all other POSIX.1e capabilities are stripped away, even if the process
was root-owned.
To solve the problem you described with AppArmor, the only way to do it
is to introduce some root-owned process (whether suid, sudo, whatever)
that is then confined with a tight AppArmor profile so that it is not
too dangerous, and then give it cap_sys_nice.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Itanium. Vista. GPLv3. Complexity at work
More information about the Apparmor-general
mailing list