Replace blanket capability, with specific capabilities in all AppArmor profiles

Remove overly permissive blanket `capability,` rule (grants ALL Linux capabilities) from 107 addon AppArmor profiles. Replace with only the specific capabilities each addon needs based on its config.yaml `privileged` field. Base capabilities for all addons: setuid, setgid, chown, fowner, dac_override Additional capabilities mapped from config.yaml privileged list: - SYS_ADMIN -> sys_admin - DAC_READ_SEARCH -> dac_read_search - NET_ADMIN -> net_admin - NET_RAW -> net_raw - SYS_RAWIO -> sys_rawio - SYS_TIME -> sys_time - SYS_RESOURCE -> sys_resource Addons with full_access: true (portainer_agent) retain blanket capability. Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
2026-04-03 21:00:05 +02:00 · 2026-03-17 07:42:05 +00:00
parent 8156916179
commit 3c53e69161
107 changed files with 652 additions and 669 deletions
--- a/codex/apparmor.txt
+++ b/codex/apparmor.txt
@@ -3,7 +3,13 @@
 profile db21ed7f_codex flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

-  capability,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability setgid,
+  capability setuid,
+  capability sys_admin,
  file,
  signal,
  mount,
@@ -18,12 +24,6 @@ profile db21ed7f_codex flags=(attach_disconnected,mediate_deleted) {
  network netlink raw,
  network unix dgram,

-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-  capability dac_read_search,
-  # capability dac_override,
-  # capability sys_rawio,

 # S6-Overlay
  /init ix,