[PATCH 0/2] Quiet noisy LSM denial when accessing net sysctl

From: Tyler Hicks
Date: Fri May 06 2016 - 19:04:39 EST

This pair of patches does away with what I believe is a useless denial
audit message when a privileged process initially accesses a net sysctl.

The bug was first discovered when running Go applications under AppArmor
confinement. It can be triggered like so:

$ echo "profile test { file, }" | sudo apparmor_parser -rq

Once the profile is loaded, invoke Go as root under confinement:

$ sudo aa-exec -p test -- go version
go version go1.6.1 linux/amd64

Here's the denial:

audit: type=1400 audit(1462575436.832:29): apparmor="DENIED" operation="capable" profile="test" pid=1157 comm="go" capability=12 capname="net_admin"

The reproducer in minimal form is:

$ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn

The denial:

audit: type=1400 audit(1462575670.000:29): apparmor="DENIED" operation="capable" profile="test" pid=1161 comm="cat" capability=12 capname="net_admin"