| Documentation / 20.11. Setting Capabilities per Profile | ||||
|---|---|---|---|---|
 | 20.10. Auditing Rules | Chapter 21. AppArmor Profile Repositories |  | |
| Documentation / 20.11. Setting Capabilities per Profile | ||||
|---|---|---|---|---|
| 20.10. Auditing Rules | Chapter 21. AppArmor Profile Repositories | | |
Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges. Therefore, a program having been granted write access to a file via it's profile, would not be able to actually write to this file if the mode bits would be set to read only.
The only exception from this strict rule is the set
capability rule. This provides the ability to give non-root
users administrative privileges, as defined in the
capabilities(7) man page. Contrary to setting a
program to setuid or using file system capabilities, that apply to single
programs only, the set capability rule allows to apply capabilities to
multiple programs running under a specific profile (by using ix
transitions). For security reasons, set capability rules will not be
inherited, so once a program leaves the profile, it looses the elevated
privilege.
![[Warning]](admon/warning.png) | Use set capabilities Rules with Extreme Caution |
|---|---|
Using the set capabilities rules allows to give processes | |
To set a capability in a profile the keyword “set” is prepended to a capability rule. Setting a capability also implicitly adds a capability rule allowing that capability.
set capabilty cap_chown,
![[Note]](admon/note.png) | |
Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them. | |
