[apparmor] [patch] klog-needs-CAP_SYSLOG
Kees Cook
kees at ubuntu.com
Tue Aug 16 23:57:45 UTC 2011
Hi,
On Tue, Aug 09, 2011 at 12:13:56AM +0200, Christian Boltz wrote:
> Please ask Jeff if you want to know what it does ;-)
>
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -129,6 +129,9 @@ static int get_table_token(const char *n
> static struct keyword_table capability_table[] = {
> /* capabilities */
> #include "cap_names.h"
> +#ifndef CAP_SYSLOG
> + {"syslog", 34},
> +#endif
> /* terminate */
> {NULL, 0}
> };
This shouldn't be needed since cap_names.h is auto-generated. If it's
missing that means the kernel includes aren't up to date.
> @@ -866,6 +869,7 @@ static const char *capnames[] = {
> "audit_control",
> "setfcap",
> "mac_override"
> + "syslog",
> };
This is good, though we might want to make it more dynamic
or at least less fragile.
> const char *capability_to_name(unsigned int cap)
> --- a/profiles/apparmor.d/sbin.klogd
> +++ b/profiles/apparmor.d/sbin.klogd
> @@ -15,6 +15,7 @@
> #include <abstractions/base>
>
> capability sys_admin,
> + capability syslog,
>
> network inet stream,
Yes, we'll need this for the other loggers too.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list