© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
This is not a disconnect between the capability framework (which is integrated into the LSM), nor the devs who implemented AppArmor.
Calls to capable() can have side effects, it is an LSM hook and linux capabilities are implemented as an LSM module that is stacked with the other LSMs. So if an LSM chooses to mediate a capability, it can. AppArmor, Smack, and SELinux all mediate capable calls, which is done in addition to the regular capable subsystem check. Unless the call to capable() is marked with the option CAP_OPT_NOAUDIT, an LSM may generate audit messages.
The solution is that the caller of capable() needs to pass the option CAP_OPT_NOAUDIT if there really shouldn't be an audit message generated.
If userspace code doesn't want an audit message generated then it needs to work with the LSMs policy to make sure an audit message is not generated. AppArmor policy by default quiets auditing of capability messages if the capability is granted by policy, it also allows disabling of auditing of a message if the capability should be denied.