Permission denied when capability is granted

Bug #1476046 reported by Moshe Kaplan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Invalid
Undecided
Unassigned

Bug Description

I'm writing a profile for airodump-ng. Even though the capability is included in the profile, the program is still being denied permission. Adding another permission, capability net_admin, solved the issue and allowed the program to run.

sudo apparmor_parser -r -d /etc/apparmor.d/usr.sbin.airodump-ng
----- Debugging built structures -----
Name: /usr/sbin/airodump-ng
Profile Mode: Enforce
Capabilities: dac_override setuid net_bind_service net_raw
Quiet Caps: dac_override setuid net_bind_service net_raw
Network: ax25 { stream dgram } rose { stream dgram } econet { raw }

moshe@moshe-desktop:~/Desktop/aircrack$ sudo invoke-rc.d apparmor reload
 * Reloading AppArmor profiles Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
                                                                                                                 [ OK ]

moshe@moshe-desktop:~/Desktop/aircrack$ sudo airodump-ng mon0
socket(PF_PACKET) failed: Operation not permitted

moshe@moshe-desktop:~/Desktop/aircrack$ tail /var/log/syslog
Jul 19 16:27:35 moshe-desktop kernel: [169024.990583] type=1400 audit(1437337655.546:10873): apparmor="DENIED" operation="capable" profile="/usr/sbin/airodump-ng" pid=13723 comm="airodump-ng" capability=13 capname="net_raw"

Profile:
# Last Modified: Sun Jul 19 14:06:23 2015
#include <tunables/global>

/usr/sbin/airodump-ng {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability dac_override,
  capability setuid,
  capability net_raw,

  network packet raw,

  deny @{HOME}/*/.* rw,

  /bin/dash rix,
  /bin/ls rix,
  /sbin/ r,
  /sbin/iwpriv rix,

  @{HOME}/** r,

  owner @{HOME}/**.cap w,
  owner @{HOME}/**.csv w,
  owner @{HOME}/**.kismet.netxml w,
  owner @{HOME}/**.gps w,

  /usr/sbin/airodump-ng mr,

  /proc/*/net/psched r,
  /proc/acpi/ac_adapter/ r,
  /proc/acpi/battery/ r,

  /usr/share/aircrack-ng/airodump-ng-oui.txt r,

}

Tags: aa-kernel
Christian Boltz (cboltz)
tags: added: aa-kernel
Revision history for this message
Moshe Kaplan (moshekaplan) wrote :

This bug may have been caused by a second, conflicting profile.

While this issue can likely be closed, it may be worth checking if a second profile will be loaded for a single binary, and logging that.

Revision history for this message
Christian Boltz (cboltz) wrote :

OK, closing as invalid because of the conflicting profiles.

I also submitted a patch so that future versions of aa-logprof will detect conflicting/duplicate profiles.

Changed in apparmor:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.