Normally AppArmor only restricts existing native Linux controls and does not grant additional privileges. Therefore, a program having been granted write access to a file via it's profile, would not be able to actually write to this file if the mode bits would be set to read only.
The only exception from this strict rule is the set capability rule. This provides the ability to give non-root users administrative privileges, as defined in the capabilities(7) man page. Contrary to setting a program to setuid or using file system capabilities, that apply to single programs only, the set capability rule allows to apply capabilities to multiple programs running under a specific profile (by using ix transitions). For security reasons, set capability rules will not be inherited, so once a program leaves the profile, it looses the elevated privilege.
WARNING: Use set capabilities Rules with Extreme Caution
Using the set capabilities rules allows to give processes root privileges. Therefore these rules should be used with extreme caution and only in exceptional cases.
To set a capability in a profile the keyword set
is
prepended to a capability rule. Setting a capability also implicitly adds
a capability rule allowing that capability.
set capabilty cap_chown,
NOTE: Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them.