AppArmor and Capabilities
Hi,
In "Lab 33.2. Explore the AppArmor Security"
https://trainingportal.linuxfoundation.org/learn/course/linux-system-administration-essentials-lfs207/linux-security-modules/lab-exercises?page=2
...the capabilities commands getcap
and setcap
are used, whereas these commands are nowhere described before in this chapter 33.
In which way are they part of the AppArmor framework? I'm asking because if I read through the man pages of these commands, AppArmor is not referenced anywhere. So, are they independent commands or interconnected in some way with AppArmor? And why are they used at this point in the Lab (1. - 3.) before the AppArmor Profiles are set up (4. - ...)?
Thanks,
Urs
Answers
-
...As an addition to my question above, why do we need to set an AppArmor profile for the new
/bin/ping-x
application? Even after a reboot, it already works as expected, after setting the capabilities withsudo setcap cap_net_raw+ep /bin/ping-x
Could you please explain that too?
Thanks,
Urs0 -
Could anyone please answer this one too?
Thanks,
Urs0 -
Hi Urs,
In which way are they part of the AppArmor framework? I'm asking because if I read through the man >pages of these commands, AppArmor is not referenced anywhere. So, are they independent commands >or interconnected in some way with AppArmor?
AppArmor is related to 'getcap' and 'setcap' tools, and they can work together. But you also can work with 'getcap' and 'setcap' without AppArmor. I mean, they are independent tools, but as 'setcap' can modify the capabilities of files and what they can do, it's completely related to AppArmor.
I hope that helps!
Regards,
Luis.0 -
Hi Luis,
Thank your for your reply.
What I still do not understand is the workflow in Lab 33.2.. After setting the capabilities in Step 1-3, the new ping-x program works as expected, even after a reboot:
Step 2:
alu@ubuntu-dt-vm:~$ ls -l /bin/ping -rwxr-xr-x 1 root root 89768 Apr 8 2024 /bin/ping alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ sudo cp /bin/ping /bin/ping-x alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ ls -l /bin/ping-x -rwxr-xr-x 1 root root 89768 Nov 12 08:44 /bin/ping-x alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping /bin/ping cap_net_raw=ep alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping-x alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1 ping-x: socktype: SOCK_RAW ping-x: socket: Operation not permitted ping-x: => missing cap_net_raw+p capability or setuid? alu@ubuntu-dt-vm:~$
Step 3:
alu@ubuntu-dt-vm:~$ sudo setcap cap_net_raw+ep /bin/ping-x alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping /bin/ping cap_net_raw=ep alu@ubuntu-dt-vm:~$ sudo getcap /bin/ping-x /bin/ping-x cap_net_raw=ep alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.081 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.055 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.055 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2061ms rtt min/avg/max/mdev = 0.055/0.063/0.081/0.012 ms alu@ubuntu-dt-vm:~$ alu@ubuntu-dt-vm:~$ sudo reboot # [... after reboot...] alu@ubuntu-dt-vm:~$ ping-x -c3 -4 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.070 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.066 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.051 ms --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2053ms rtt min/avg/max/mdev = 0.051/0.062/0.070/0.008 ms
Maybe I missed something, but this means that the following steps by generating the AppArmor profile with aa-genprof (Step 4+) become useless as it doesn't change anything in terms of the ping-x's behavior. The program ping-x works before and it also works after setting up the AppArmor profile.
Therefore, after restoring the latest VM snapshot, I tried it again without setting the capabilities, but this experiment failed. Only setting up an AppArmor profile without previously changing the capabilities seam not to work for some reason.
Hence, the only way I get the ping-x to work is setting the capabilities, with or without creating an AppArmor profile.
It would be great if you could further explain that behavior, so I can understand the relationship between setting the capabilities and AppArmor.
Thanks,
Urs0 -
Hi Urs,
It's seems to me it's working fine, as expected. What we do is the following:
1.- We try the ping tool, it works.
2.- We copy the ping tool to another file named ping-x.
3.- We try ping-x and this won't work. Why? Because it doesn't have the required capabilities. I tested this and it's working as expected:ubuntu@master:~$ sudo cp /bin/ping /bin/ping-x
ubuntu@master:~$ ping-x google.com
ping-x: socktype: SOCK_RAW
ping-x: socket: Operation not permitted
ping-x: => missing cap_net_raw+p capability or setuid?ubuntu@master:~$ getcap /bin/ping-x
ubuntu@master:~$
ubuntu@master:~$ getcap /bin/ping
/bin/ping cap_net_raw=ep4.- We add the cap_net_raw+ep capability to /bin/ping-x and it works.
That's it!
5.- About the profiles:
Maybe I missed something, but this means that the following steps by generating the AppArmor profile >with aa-genprof (Step 4+) become useless as it doesn't change anything in terms of the ping-x's >behavior. The program ping-x works before and it also works after setting up the AppArmor profile.
It's because the profile for ping-x was copied from ping. But if it was copied from a different type of tool -let's say from cupsd- it would have failed. So, the idea behind this is to give you an idea about profiles.
Regards,
Luis.0 -
Perfect, thank you very much.
Regards,
Urs1 -
Hi Urs, it's a pleasure
Luis.
0
Categories
- All Categories
- 217 LFX Mentorship
- 217 LFX Mentorship: Linux Kernel
- 792 Linux Foundation IT Professional Programs
- 354 Cloud Engineer IT Professional Program
- 178 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 147 Cloud Native Developer IT Professional Program
- 137 Express Training Courses
- 137 Express Courses - Discussion Forum
- 6.2K Training Courses
- 47 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 42 LFD102 Class Forum
- 226 LFD103 Class Forum
- 18 LFD110 Class Forum
- 38 LFD121 Class Forum
- 18 LFD133 Class Forum
- 7 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 4 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 697 LFD259 Class Forum
- 111 LFD272 Class Forum
- 4 LFD272-JP クラス フォーラム
- 12 LFD273 Class Forum
- 148 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 2 LFS116 Class Forum
- 4 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 5 LFS144 Class Forum
- 4 LFS145 Class Forum
- 2 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 2 LFS157 Class Forum
- 29 LFS158 Class Forum
- 7 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 31 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム
- 18 LFS203 Class Forum
- 134 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 2 LFS245 Class Forum
- LFS246 Class Forum
- 48 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 152 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 7 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 118 LFS260 Class Forum
- 159 LFS261 Class Forum
- 42 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 22 LFS268 Class Forum
- 30 LFS269 Class Forum
- LFS270 Class Forum
- 202 LFS272 Class Forum
- 2 LFS272-JP クラス フォーラム
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 9 LFW111 Class Forum
- 259 LFW211 Class Forum
- 181 LFW212 Class Forum
- 13 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 795 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 102 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 758 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 353 Ubuntu
- 468 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 93 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 63 Mobile Computing
- 18 Android
- 33 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 22 Study Material
- 805 Programming and Development
- 303 Kernel Development
- 484 Software Development
- 1.8K Software
- 261 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)