Hello,
I have used AppArmor a bit, and must say that I like it a lot. I have
used it on a few servers, and in some security competitions. As a
HIPS, it is easy to use and fairly effective (from what I have seen).
I just saw your question and it sparked my curiousity. From some
quick googling, I presume that cap_setuid allows a process or call to
be passed as another user (we'll say root for now). I wondered if
root was exempt from the AppArmor rules (although I doubted it), so I
configured my VMed webserver to access a denied config file for
mod_security, and then started apache as root. It failed with an
error from AppArmor claiming that access was denied to the
configuration file. I restored the permissions in AppArmor and
received a different error, apparently the Apache developers were
smart enough to disallow apache to be run as root. Nonetheless,
AppArmor would not even let it get this far, so even root privileges
cannot override AppArmor profiles.
Regards,
Matt
On 4/6/06, *Brian Eaton* <eaton.lists@xxxxxxxxx
<mailto:eaton.lists@xxxxxxxxx>> wrote:
On 4/5/06, Crispin Cowan <crispin@xxxxxxxxxx
<mailto:crispin@xxxxxxxxxx>> wrote:
> Pascal Meunier wrote:
> > but as you posted an example profile with "capability
setuid", I must
> > admit I am curious as to why an email client needs that.
> Well now that is a very good question, but it has nothing to do
with
> AppArmor. The AppArmor learning mode just records the actions
that the
> application performs. With or without AppArmor, the Thunderbird mail
> client is using cap_setuid. AppArmor gives you the opportunity
to *deny*
> that capability, so you can try blocking it and find out. But for
> documentation on why Thunderbird needs it, you would have to look at
> mozilla.org <http://mozilla.org> not the AppArmor pages.
Does cap_setuid give a program enough authority to break out of the
AppArmor profile?
Regards,
Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Matt Lidestri
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
_______________________________________________
Apparmor-dev mailing list
Apparmor-dev@xxxxxxxxxxxxxxxx
http://forge.novell.com/mailman/listinfo/apparmor-dev