From 05a48f676bec935effc817bf59fc10481ae23851 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Mon, 12 May 2025 10:47:55 +0200
Subject: [PATCH] profiles: remove CAP_SYS_ADMIN from iotop_c profile

See the comment for an explanation of why CAP_SYS_ADMIN was being checked and why it isn't actually necessary for setting ionice values for processes

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/iotop-c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c
index f02fbc7a6..ce35fc081 100644
--- a/profiles/apparmor.d/iotop-c
+++ b/profiles/apparmor.d/iotop-c
@@ -8,7 +8,15 @@ profile iotop-c /usr/sbin/iotop-c {
   include <abstractions/nameservice-strict>
 
   capability net_admin,
-  capability sys_admin,
+  # The ioprio_set syscall checks for sys_admin or sys_nice
+  # (with sys_admin checked first, with OR shortcut logic)
+  # when used to set a real-time scheduler, and later checks
+  # for sys_nice if the target uid is not equal to the caller's
+  # uid or euid (e.g the sys_nice check will not be exercised
+  # when changing euid via sudo). sys_nice covers the perms
+  # required for this syscall and is less broad than sys_admin,
+  # so silence a denial of sys_admin and force reliance on sys_nice.
+  deny capability sys_admin,
   capability sys_nice,
 
   network netlink raw,