Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 267

NOTE: Limitations of the Discrete Local Profile Execute Mode (cx)
Currently cx transitions are limited to top level profiles and can not be used
in hats and children profiles. This restriction will be removed in the future.
Incompatible with Ux, ux, Px, px, Cx, and ix.
21.8.3 Unconstrained Execute Mode (ux)
Allows the program to execute the resource without any AppArmor profile applied to
the executed resource. This mode is useful when a confined program needs to be able
to perform a privileged operation, such as rebooting the machine. By placing the privi-
leged section in another executable and granting unconstrained execution rights, it is
possible to bypass the mandatory constraints imposed on all confined processes. For
more information about what is constrained, see the apparmor(7) man page.
WARNING: Using Unconstrained Execute Mode (ux)
Use ux only in very special cases. It enables the designated child processes to
be run without any AppArmor protection. ux does not scrub the environment
of variables such as LD_PRELOAD. As a result, the calling domain may have an
undue amount of influence over the called resource. Use this mode only if the
child absolutely must be run unconfined and LD_PRELOAD must be used. Any
profile using this mode provides negligible security. Use at your own risk.
This mode is incompatible with Ux, px, Px, and ix.
21.8.4 Clean Exec modes
The clean exec modes allows the named program to run in px, cx and ux mode, but
AppArmor invokes the Linux kernel's unsafe_exec routines to scrub the environment,
similar to setuid programs. The clean exec modes are specified with an uppercase letter:
Px, Cx and Ux. See the man page of ld.so(8) for some information about setuid
and setgid environment scrubbing.
Profile Components and Syntax 253