mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 12:58:07 +00:00
Code Issues Releases Wiki Activity

profiles: remove CAP_SYS_ADMIN from iotop_c profile

Browse Source 
See the comment for an explanation of why CAP_SYS_ADMIN was being checked and why it isn't actually necessary for setting ionice values for processes

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This commit is contained in:
Ryan Lee 2025-05-12 10:47:55 +02:00
parent d94ff137ef
commit 05a48f676b
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
profiles/apparmor.d/iotop-c
View File

@ -8,7 +8,15 @@ profile iotop-c /usr/sbin/iotop-c {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability net_admin, capability net_admin,
capability sys_admin, # The ioprio_set syscall checks for sys_admin or sys_nice
# (with sys_admin checked first, with OR shortcut logic)
# when used to set a real-time scheduler, and later checks
# for sys_nice if the target uid is not equal to the caller's
# uid or euid (e.g the sys_nice check will not be exercised
# when changing euid via sudo). sys_nice covers the perms
# required for this syscall and is less broad than sys_admin,
# so silence a denial of sys_admin and force reliance on sys_nice.
deny capability sys_admin,
capability sys_nice, capability sys_nice,
network netlink raw, network netlink raw,