Replace blanket capability, with specific capabilities in all AppArmor profiles

Remove overly permissive blanket `capability,` rule (grants ALL Linux capabilities) from 107 addon AppArmor profiles. Replace with only the specific capabilities each addon needs based on its config.yaml `privileged` field. Base capabilities for all addons: setuid, setgid, chown, fowner, dac_override Additional capabilities mapped from config.yaml privileged list: - SYS_ADMIN -> sys_admin - DAC_READ_SEARCH -> dac_read_search - NET_ADMIN -> net_admin - NET_RAW -> net_raw - SYS_RAWIO -> sys_rawio - SYS_TIME -> sys_time - SYS_RESOURCE -> sys_resource Addons with full_access: true (portainer_agent) retain blanket capability. Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
2026-06-05 07:14:08 +02:00 · 2026-03-17 07:42:05 +00:00
parent 8156916179
commit 3c53e69161
107 changed files with 652 additions and 669 deletions
--- a/omni-tools/apparmor.txt
+++ b/omni-tools/apparmor.txt
@@ -4,7 +4,11 @@ profile omni-tools flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>

  # Capabilities
-  capability,
+  capability chown,
+  capability dac_override,
+  capability fowner,
+  capability setgid,
+  capability setuid,
  file,
  signal (send) set=(kill,term,int,hup,cont),