capabilities in AppArmor profile vs extended attributes

xycainoff

"Exercise 35.2: Exploring apparmor security"

In this lab we copy /bin/ping to /bin/ping-x and set it's net_raw capability to permitted and effective:
setcap cap_net_raw+ep /bin/ping-x

Then we generate apparmor profile:
aa-genprof /bin/ping-x

After that if i unset net_raw capability:
setcap cap_net_raw-ep /bin/ping-x
it doesn't work:

socktype: SOCK_RAW
socket: Operation not permitted
missing cap_net_raw+p capability or setuid?

Generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?

luisviveropena

Hi @xycainoff, I did the test and you are right. The only information I found is the following, in the capabilities(7) man page:

CAP_NET_RAW
• Use RAW and PACKET sockets;
• bind to any address for transparent proxying.

So it seems that the file needs the net_raw capability in order to work, as a requirement of the operating system in order to work properly with the networking subsystem.

Regards,
Luis.