Permission denied when capability is granted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm writing a profile for airodump-ng. Even though the capability is included in the profile, the program is still being denied permission. Adding another permission, capability net_admin, solved the issue and allowed the program to run.
sudo apparmor_parser -r -d /etc/apparmor.
----- Debugging built structures -----
Name: /usr/sbin/
Profile Mode: Enforce
Capabilities: dac_override setuid net_bind_service net_raw
Quiet Caps: dac_override setuid net_bind_service net_raw
Network: ax25 { stream dgram } rose { stream dgram } econet { raw }
moshe@moshe-
* Reloading AppArmor profiles Skipping profile in /etc/apparmor.
Skipping profile in /etc/apparmor.
moshe@moshe-
socket(PF_PACKET) failed: Operation not permitted
moshe@moshe-
Jul 19 16:27:35 moshe-desktop kernel: [169024.990583] type=1400 audit(143733765
Profile:
# Last Modified: Sun Jul 19 14:06:23 2015
#include <tunables/global>
/usr/sbin/
#include <abstractions/base>
#include <abstractions/
capability dac_override,
capability setuid,
capability net_raw,
network packet raw,
deny @{HOME}/*/.* rw,
/bin/dash rix,
/bin/ls rix,
/sbin/ r,
/sbin/iwpriv rix,
@{HOME}/** r,
owner @{HOME}/**.cap w,
owner @{HOME}/**.csv w,
owner @{HOME}
owner @{HOME}/**.gps w,
/usr/
/proc/
/proc/
/proc/
/usr/
}
tags: | added: aa-kernel |
This bug may have been caused by a second, conflicting profile.
While this issue can likely be closed, it may be worth checking if a second profile will be loaded for a single binary, and logging that.