[apparmor] Apparmor profile enforce issue, when changing from root to non-root

[swarna latha]

Hi,

We have a process which starts as root and then we drop the unused
privileges and run as non-root.

Captured the capabilities of the process with apparmor by putting the
profile in audit, complain mode and generated profile with logprof.

1. With the generated profile, the process is starting, if we run it in
root mode and does not change to non-root.
2. With the generated profile, the process is not starting if we try to
change to non-root.

For non-root mode, tried to add the capabilities manually, all the 36
capabilities it did not work. But if i add the capability, (which is to
grant all capabilities, the last one highlighted below) the process starts.

capability sys_module,
capability sys_pacct,
capability sys_time,
capability mknod,
capability lease,
capability audit_write,
capability audit_control,
capability mac_override,
capability mac_admin,
capability syslog,
capability wake_alarm,
capability block_suspend,
capability audit_read,
capability dac_override,
capability setgid,
capability setuid,
capability sys_admin,
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability ipc_lock,
capability ipc_owner,
capability kill,
capability linux_immutable,
capability net_admin,
capability net_bind_service,
capability net_raw,
capability setfcap,
capability setpcap,
capability sys_boot,
capability sys_chroot,
capability sys_nice,
capability sys_ptrace,
capability sys_resource,
capability sys_rawio,
*#capability,*

Can someone please clarify this behaviour ?

Thanks,
Swarna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200831/85ece0d0/attachment.html>