AppArmor: Silently deny dac_override and dac_read_search capabilities

Closes: #962006
author: Colin Watson <cjwatson@debian.org> 2020-07-04 22:16:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-07-04 22:16:41 +0100
commit: 38e2b5f7dfb86488a834f04b720380802f620a0a (patch)
tree: c56184e3537a038e2a1dd58c4eb377a085d78551 /debian
parent: 75f2bee6b6b773653f010b61b8c0ac63cf55e5b1 (diff)
2 files changed, 13 insertions, 0 deletions
diff --git a/debian/apparmor/usr.bin.man b/debian/apparmor/usr.bin.man
index b0160528..81ba10f4 100644
--- a/debian/apparmor/usr.bin.man
+++ b/debian/apparmor/usr.bin.man
@@ -39,6 +39,12 @@
   capability setuid,
   capability setgid,
 
+  # Ordinary permission checks sometimes involve checking whether the
+  # process has this capability, which can produce audit log messages.
+  # Silence them.
+  deny capability dac_override,
+  deny capability dac_read_search,
+
   signal peer=@{profile_name},
   signal peer=/usr/bin/man//&man_groff,
   signal peer=/usr/bin/man//&man_filter,
diff --git a/debian/changelog b/debian/changelog
index 0fa4986e..c94461f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+man-db (2.9.3-2) UNRELEASED; urgency=medium
+
+  * AppArmor: Silently deny dac_override and dac_read_search capabilities
+    (closes: #962006).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 04 Jul 2020 22:12:44 +0100
+
 man-db (2.9.3-1) unstable; urgency=medium
 
   * New upstream release.
author	Colin Watson <cjwatson@debian.org>	2020-07-04 22:16:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-07-04 22:16:41 +0100
commit	38e2b5f7dfb86488a834f04b720380802f620a0a (patch)
tree	c56184e3537a038e2a1dd58c4eb377a085d78551 /debian
parent	75f2bee6b6b773653f010b61b8c0ac63cf55e5b1 (diff)