Re: [apparmor] Apparmor profile: mount/umount issue [ non-root application ]
On Fri, Jul 23, 2021 at 05:07:23PM +0530, Murali Selvaraj wrote: > -> Since we have required CAPs CAP_SYS_ADMIN in the profile and it > applied to the process as well but still observing >that mount and unmount fails [ "must be superuser to mount" and > "must be superuser to unmount" ]. How did you grant CAP_SYS_ADMIN to the process? > -> Does mount/umount restriction is done by util-linux package? As per > our understanding CAP_SYS_ADMIN (capable) check >would be taken care of in Kernel code. It looks like user space > (util-linux package) restricts this permission issue. >Please clarify my understanding. No, mount(8) is simply reporting the error message from the mount(2) system call. > -> What would be ideal options to resolve the issue ( "non-root" user > does mount/umount operation ). If you didn't get any DENIED entries from AppArmor in your logs, then I suspect that your process didn't actually get the CAP_SYS_ADMIN privilege from its parent. Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] Apparmor profile: mount/umount issue [ non-root application ]
Hi All, I have created an apparmor profile for the process which does mount/umount based on certain conditions. The process is running as a "non-root" user with limited Linux Capabilities. As per (man 7 capabilities) CAP_SYS_ADMIN is required for mount and unmount operations. While the process runs as enforce mode, I am observing the mount issue saying that "must be a superuser to mount '' and "must be superuser to unmount" for mount and unmount operations. My operating system runs on util-linux. Query: -> Since we have required CAPs CAP_SYS_ADMIN in the profile and it applied to the process as well but still observing that mount and unmount fails [ "must be superuser to mount" and "must be superuser to unmount" ]. -> Does mount/umount restriction is done by util-linux package? As per our understanding CAP_SYS_ADMIN (capable) check would be taken care of in Kernel code. It looks like user space (util-linux package) restricts this permission issue. Please clarify my understanding. -> What would be ideal options to resolve the issue ( "non-root" user does mount/umount operation ). Thanks Murali.S -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor