This pair of patches does away with what I believe is a useless denial
audit message when a privileged process initially accesses a net sysctl.
The bug was first discovered when running Go applications under AppArmor
confinement. It can be triggered like so:
$ echo "profile test { file, }" | sudo apparmor_parser -rq
Once the profile is loaded, invoke Go as root under confinement:
$ sudo aa-exec -p test -- go version
go version go1.6.1 linux/amd64
Here's the denial:
audit: type=1400 audit(1462575436.832:29): apparmor="DENIED"
operation="capable" profile="test" pid=1157 comm="go" capability=12
capname="net_admin"
The reproducer in minimal form is:
$ sudo aa-exec -p test -- cat /proc/sys/net/core/somaxconn
128
The denial:
audit: type=1400 audit(1462575670.000:29): apparmor="DENIED"
operation="capable" profile="test" pid=1161 comm="cat" capability=12
capname="net_admin"
Thanks!
Tyler
