[Nix-dev] AppArmor
Eelco Dolstra
eelco.dolstra at logicblox.com
Mon May 13 16:03:20 CEST 2013
Hi,
On 13/05/13 15:49, Eelco Dolstra wrote:
> BTW, do you know if AppArmor profiles allow granting capabilities to a process
> (rather than merely allowing capabilities they already have)? That way we could
> get rid of setuid ping entirely, simply by having a profile for
> ${pkgs.iputils}/bin/ping that grants net_raw capability.
To answer my own question: apparently not. AppArmor < 2.5 allowed this, but the
feature was removed. From the release notes:
set capabilities - this feature is dangerous, has never been completed (could
not drop caps, and proper checks not done and as such should not be used) and is
not needed if AppArmor is combined with fscaps and the pam_cap.so PAM module.
Too bad...
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list