Brian Eaton wrote: > Does cap_setuid give a program enough authority to break out of the > AppArmor profile? > No, cap_setuid is not sufficient. In fact, being full root is not sufficient to break out of AppArmor confinement. Rood daemons being one of the greatest threats to the system, AppArmor would not be very useful if it could not confine root.
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
