profiles: remove CAP_SYS_ADMIN from iotop_c profile

See the comment for an explanation of why CAP_SYS_ADMIN was being checked and why it isn't actually necessary for setting ionice values for processes Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-05-12 10:47:55 +02:00 · 2025-05-12 10:47:55 +02:00 · 05a48f676b
commit 05a48f676b
parent d94ff137ef
1 changed files with 9 additions and 1 deletions
--- a/profiles/apparmor.d/iotop-c
+++ b/profiles/apparmor.d/iotop-c
@ -8,7 +8,15 @@ profile iotop-c /usr/sbin/iotop-c {
  include <abstractions/nameservice-strict>

  capability net_admin,
-  capability sys_admin,
+  # The ioprio_set syscall checks for sys_admin or sys_nice
+  # (with sys_admin checked first, with OR shortcut logic)
+  # when used to set a real-time scheduler, and later checks
+  # for sys_nice if the target uid is not equal to the caller's
+  # uid or euid (e.g the sys_nice check will not be exercised
+  # when changing euid via sudo). sys_nice covers the perms
+  # required for this syscall and is less broad than sys_admin,
+  # so silence a denial of sys_admin and force reliance on sys_nice.
+  deny capability sys_admin,
  capability sys_nice,

  network netlink raw,