Setting Capabilities per Profile

Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges. Therefore a program, having been granted write access to a file via its profile, would not be able to actually write to this file as long as the mode bits are set to read only.

The only exception to this strict rule is the set capability rule. This provides the ability to give non-root users administrative privileges, as defined in the capabilities(7) man page. Contrary to setting a program to setuid or using file system capabilities (that apply to single programs only), the set capability rule allows the user to apply capabilities to multiple programs running under a specific profile (by using ix transitions). For security reasons, set capability rules will not be inherited (once a program leaves the profile, it loses the elevated privilege).

[Warning]Use set capabilities Rules with Extreme Caution

Using the set capabilities rules allows to give processes root privileges. Therefore these rules should be used with extreme caution and only in exceptional cases.

To set a capability in a profile the keyword set is prepended to a capability rule. Setting a capability also implicitly adds a capability rule allowing that capability.

set capabilty cap_chown,
[Note]

Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is to manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them.