[apparmor] Apparmor profile enforce issue, when changing from root to non-root

[John Johansen]

On 8/31/20 9:09 PM, swarna latha wrote:
> Yes Seth.
> 
> My system works fine if the capability line is in the profile.
> 
> Below are my two queries...
> 
> 1. Is listing all the capabilities same as adding the "capability, " line. I dont see the same behaviour. Listing all the capabs is not working, whereas
>     adding the capability, line works
> 2. I am not able to identify the required capability from apparmor logs. Ideally we should see it in the capable operation ? Is there any scenario where
>     capability is used, and apparmor does not log it...
> 

the dedup cache can keep capabilities from being logged if the request has been encountered recently

What kernel are you using? And are you willing to build or try a debug kernel?


> Thanks,
> Swarna
> On Mon, Aug 31, 2020 at 11:26 PM Seth Arnold <seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>> wrote:
> 
>     On Mon, Aug 31, 2020 at 10:34:46PM -0400, swarna latha wrote:
>     > I am getting the complete set of libraries used by my process with status=
>     > AUDIT, right from /etc/ld.so.cache. It looks to me as though the profile is
>     > not applied, though i have rules allowing the /etc/ld.so cache access.
>     >
>     > As i have these file entries in my profile, i am not getting
>     > ALLOWED/DENIED, hence not able to regenerate the profile with these events.
> 
>     Hello Swarna, so, is it the case that your system works fine when the
>     'capability,' line is in the profile, but when you remove it and reload
>     the profile, the application doesn't start *and* doesn't log anything
>     different?
> 
>     Thanks
> 
>