Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges. Therefore a program, having been granted write access to a file via its profile, would not be able to actually write to this file as long as the mode bits are set to read only.
The only exception to this strict rule is the set
capability
rule. This provides the ability to give non-root
users administrative privileges, as defined in the
capabilities(7)
man page. Contrary to setting a
program to setuid or using file system capabilities (that apply to single
programs only), the set capability rule allows the user to apply
capabilities to multiple programs running under a specific profile (by
using ix transitions). For security reasons, set capability rules will
not be inherited (once a program leaves the profile, it loses the
elevated privilege).
![]() | Use set capabilities Rules with Extreme Caution |
---|---|
Using the set capabilities rules allows to give processes |
To set a capability in a profile the keyword “set” is prepended to a capability rule. Setting a capability also implicitly adds a capability rule allowing that capability.
set capabilty cap_chown,
![]() | |
Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is to manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them. |