Hi, We have a process which starts as root and then we drop the unused privileges and run as non-root.
Captured the capabilities of the process with apparmor by putting the profile in audit, complain mode and generated profile with logprof. 1. With the generated profile, the process is starting, if we run it in root mode and does not change to non-root. 2. With the generated profile, the process is not starting if we try to change to non-root. For non-root mode, tried to add the capabilities manually, all the 36 capabilities it did not work. But if i add the capability, (which is to grant all capabilities, the last one highlighted below) the process starts. capability sys_module, capability sys_pacct, capability sys_time, capability mknod, capability lease, capability audit_write, capability audit_control, capability mac_override, capability mac_admin, capability syslog, capability wake_alarm, capability block_suspend, capability audit_read, capability dac_override, capability setgid, capability setuid, capability sys_admin, capability chown, capability dac_read_search, capability fowner, capability fsetid, capability ipc_lock, capability ipc_owner, capability kill, capability linux_immutable, capability net_admin, capability net_bind_service, capability net_raw, capability setfcap, capability setpcap, capability sys_boot, capability sys_chroot, capability sys_nice, capability sys_ptrace, capability sys_resource, capability sys_rawio, *#capability,* Can someone please clarify this behaviour ? Thanks, Swarna
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
