Welcome to the Linux Foundation Forum!

capabilities in AppArmor profile vs extended attributes

Posts: 1
in LFS207 Class Forum

"Exercise 35.2: Exploring apparmor security"

In this lab we copy /bin/ping to /bin/ping-x and set it's net_raw capability to permitted and effective:
setcap cap_net_raw+ep /bin/ping-x

Then we generate apparmor profile:
aa-genprof /bin/ping-x

After that if i unset net_raw capability:
setcap cap_net_raw-ep /bin/ping-x
it doesn't work:

  1. socktype: SOCK_RAW
  2. socket: Operation not permitted
  3. missing cap_net_raw+p capability or setuid?

Generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?

Answers

  • Posts: 1,276

    Hi @xycainoff, I did the test and you are right. The only information I found is the following, in the capabilities(7) man page:

    CAP_NET_RAW
    • Use RAW and PACKET sockets;
    • bind to any address for transparent proxying.

    So it seems that the file needs the net_raw capability in order to work, as a requirement of the operating system in order to work properly with the networking subsystem.

    Regards,
    Luis.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training