0

I'm trying understand AppArmor capabilities at the moment. I found an example which had me make a copy of /bin/ping and generate AppArmor profile for it.

First I made a copy of /bin/ping and set it's net_raw capability to permitted and effective per the instructions:

sudo cp /bin/ping /bin/fake_ping
sudo setcap cap_net_raw+ep  /bin/ping-x

Then I generated an AppArmor profile:

sudo aa-genprof /bin/ping-x

The AppArmor profile is saved in enforced - everything works. After that I unset net_raw capability:

sudo setcap cap_net_raw-ep  /bin/ping-x

As expected, it doesn't work now due to this missing capability:

fake_ping: socktype: SOCK_RAW
fake_ping: socket: Operation not permitted
fake_ping: => missing cap_net_raw+p capability or setuid?

My question:

newly generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?

BryKKan
  • 2,057
  • 2
  • 14
  • 18
xycainoff
  • 21
  • 3
  • Does this answer your question? [root owned program with setuid bit on](https://unix.stackexchange.com/questions/51874/root-owned-program-with-setuid-bit-on) – symcbean Aug 10 '23 at 12:50
  • @symcbean No, that question was specific about setuid and effective user id of a process. In my example i do not set setuid but trying to set particular capabilities. Apparantly there is a difference between setting capabilities in apparmor profile and setting it in extended attributes by `setcap` – xycainoff Aug 12 '23 at 12:33
  • @xycainoff I'm guessing "fake_ping" is some kind of alias to a copy of ping? Is it possible that this error is actually filtering up from ping itself? That is, your copy of the ping program lacks the setuid permission bit, and you're trying to run it as a regular user? – BryKKan Aug 21 '23 at 08:48
  • @BryKKan Yes, there is no setuid on this program. The whole point of setting particular capabilities to program is to get rid of "root setuid". Obviously if it had setuid attribute set to root - it would executed as root and have CAP_SYS_ADMIN capabilities. – xycainoff Aug 24 '23 at 10:45
  • Ah, I see what you're asking now. The grammar makes it a little hard to parse. Basically your question is "What is the effect of `cap_net_raw=ep` in extended attributes, and why is it not behaving like the example I followed which seems similar? – BryKKan Aug 25 '23 at 05:57
  • I suggested an edit for you, but it doesn't fully fix the question. I can't help with the last paragraph because I don't know for sure what you're saying. I don't know enough about AppArmor to guess either I'm afraid. When you say "newly generated profile...", do you mean some other one you created with specific settings? In that case you should say 'I generated a new profile..." If you mean that `cap_net_raw=ep` is the default for *all* new profiles, say "Newly generated AppArmor profile***s*** already have... " – BryKKan Aug 25 '23 at 06:10
  • 1
    @BryKKan Thank you for your edit, now it's much better! English is not my first language. – xycainoff Aug 26 '23 at 09:44

0 Answers0