On 11/1/25 09:40, [email protected] wrote:
Hi all,
Why do I get this deny rule
AVC apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1
profile="/nix/store/ksz6ygnl9f1l6jff3mwmjsmw7qyyxa59-systemd-257.7/**" name="/nix/store/s71mkxsqwlhgjvpdjgnz6wrcah1wfbk3-dhcpcd-10.1.0/sbin/dhcpcd"
pid=872 comm="(dhcpcd)" requested_mask="x" denied_mask="x" fsuid=999 ouid=0
target="/nix/store/s71mkxsqwlhgjvpdjgnz6wrcah1wfbk3-dhcpcd-10.1.0/**
for the profile
profile /nix/store/ksz6ygnl9f1l6jff3mwmjsmw7qyyxa59-systemd-257.7/** {
capability,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
dbus,
unix,
/** rwmklPux,
}
Shouldn't x be allowed?
This is denied because no-new privs is being enforced and the transition would
result in a policy change that can not be proven at run time to not grant
additional privileges.
Unfortunately the nnp api has it applied before the exec instead of at exec
which is problematic for LSMs that allow policy transitions at exec.
To deal with this you can use a stacked transition that keeps the original
confinement and adds the additional confinement.
/** Pux -> &@{profile_name},
Currently apparmor doesn't allow overriding the nnp restriction. selinux has
add a special capability to allow overriding nnp, and apparmor will have to add
a similar capability to allow for certain situations where stacking doesn't work
