On Thu, Apr 06, 2006 at 11:38:48AM -0400, Brian Eaton wrote:
> On 4/5/06, Crispin Cowan <crispin_at_novell.com> wrote:
> > Pascal Meunier wrote:
> > > but as you posted an example profile with "capability setuid", I must
> > > admit I am curious as to why an email client needs that.
> > Well now that is a very good question, but it has nothing to do with
> > AppArmor. The AppArmor learning mode just records the actions that the
> > application performs. With or without AppArmor, the Thunderbird mail
> > client is using cap_setuid. AppArmor gives you the opportunity to *deny*
> > that capability, so you can try blocking it and find out. But for
> > documentation on why Thunderbird needs it, you would have to look at
> > mozilla.org not the AppArmor pages.
>
> Does cap_setuid give a program enough authority to break out of the
> AppArmor profile?
>
No. AppArmor's profile will confine a process the same no matter what the
uid is (including root). When a confined program changes its uid the
apparmor profile persists and continues to confine the program the same as
it did under the old uid.
Note that there may be a change in what can be accessed because of DAC
(standard unix permission checking). DAC permission's are checked before
apparmor's profile so it can be used to reduce permission's to a subset of
what is allowed by the apparmor profile.
john
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/pgp-signature attachment: stored
Received on Apr 11 2006
Intro
