On Thu, Apr 06, 2006 at 11:38:48AM -0400, Brian Eaton wrote: > On 4/5/06, Crispin Cowan <crispin@xxxxxxxxxx> wrote: > > Pascal Meunier wrote: > > > but as you posted an example profile with "capability setuid", I must > > > admit I am curious as to why an email client needs that. > > Well now that is a very good question, but it has nothing to do with > > AppArmor. The AppArmor learning mode just records the actions that the > > application performs. With or without AppArmor, the Thunderbird mail > > client is using cap_setuid. AppArmor gives you the opportunity to *deny* > > that capability, so you can try blocking it and find out. But for > > documentation on why Thunderbird needs it, you would have to look at > > mozilla.org not the AppArmor pages. > > Does cap_setuid give a program enough authority to break out of the > AppArmor profile? > No. AppArmor's profile will confine a process the same no matter what the uid is (including root). When a confined program changes its uid the apparmor profile persists and continues to confine the program the same as it did under the old uid. Note that there may be a change in what can be accessed because of DAC (standard unix permission checking). DAC permission's are checked before apparmor's profile so it can be used to reduce permission's to a subset of what is allowed by the apparmor profile. john
Attachment:
pgpcySdTXXZYw.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/