[apparmor] [patch] klog-needs-CAP_SYSLOG
Steve Beattie
steve at nxnw.org
Wed Aug 17 05:57:16 UTC 2011
On Tue, Aug 16, 2011 at 04:57:45PM -0700, Kees Cook wrote:
> This is good, though we might want to make it more dynamic
> or at least less fragile.
>
> > const char *capability_to_name(unsigned int cap)
> > --- a/profiles/apparmor.d/sbin.klogd
> > +++ b/profiles/apparmor.d/sbin.klogd
> > @@ -15,6 +15,7 @@
> > #include <abstractions/base>
> >
> > capability sys_admin,
> > + capability syslog,
> >
> > network inet stream,
>
> Yes, we'll need this for the other loggers too.
While I appreciate that the kernel people went ahead and split out
cap_syslog, I don't like leaving cap_sys_admin in the profile, because
avoiding it is precisely what cap_syslog is about. On the other hand,
people will probably use these profiles on kernels that don't yet
support cap_syslog, so getting rid of it is problematic.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110816/a0b584a3/attachment.pgp>
More information about the AppArmor
mailing list