Welcome to the Linux Foundation Forum!

capabilities in AppArmor profile vs extended attributes

"Exercise 35.2: Exploring apparmor security"

In this lab we copy /bin/ping to /bin/ping-x and set it's net_raw capability to permitted and effective:
setcap cap_net_raw+ep /bin/ping-x

Then we generate apparmor profile:
aa-genprof /bin/ping-x

After that if i unset net_raw capability:
setcap cap_net_raw-ep /bin/ping-x
it doesn't work:

socktype: SOCK_RAW
socket: Operation not permitted
missing cap_net_raw+p capability or setuid?

Generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?

Answers

  • Hi @xycainoff, I did the test and you are right. The only information I found is the following, in the capabilities(7) man page:

    CAP_NET_RAW
    • Use RAW and PACKET sockets;
    • bind to any address for transparent proxying.

    So it seems that the file needs the net_raw capability in order to work, as a requirement of the operating system in order to work properly with the networking subsystem.

    Regards,
    Luis.

Categories

Upcoming Training