[apparmor] CAP_BLOCK_SUSPEND / nscd profile

[Christian Boltz]

Hello,

just noticed this while running logprof on my factory installation:

Profile:    /usr/sbin/nscd
Capability: block_suspend
Severity:   unexpected capability rank input: CAP_BLOCK_SUSPEND

The severity.db in trunk already contains CAP_BLOCK_SUSPEND 8, and I 
propose to backport it to the 2.8 branch:

=== modified file 'utils/severity.db'   === 2.8 branch ===
--- utils/severity.db   2012-03-22 20:24:12 +0000
+++ utils/severity.db   2012-12-16 16:29:21 +0000
@@ -45,6 +45,7 @@
        CAP_AUDIT_WRITE 8
        CAP_SYSLOG 8
        CAP_WAKE_ALARM 8
+       CAP_BLOCK_SUSPEND 8
        CAP_DAC_READ_SEARCH 7
 # unused
        CAP_NET_BROADCAST 0


I also propose the following patch for the nscd profile: (even if I 
wonder why nscd might want to block suspend):

=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
--- profiles/apparmor.d/usr.sbin.nscd   2011-08-23 22:57:42 +0000
+++ profiles/apparmor.d/usr.sbin.nscd   2012-12-16 16:20:40 +0000
@@ -16,6 +16,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/ssl_certs>
 
+  capability block_suspend,
   capability net_bind_service,
   capability setgid,
   capability setuid,

The question if we should do this only for trunk or also for the 2.8 
branch is a bit tricky because it depends on the kernel version and 
unfortunately the parser seems to bail out with "Invalid capability" if 
the kernel doesn't support it :-(    (tested with "capability foo" ;-)


Regards,

Christian Boltz
-- 
We work *with* SUSE, but not *for* SUSE.  Using @suse.de 
would imply that to the world that we are somehow employed 
by SUSE, and I haven't seen a paycheck from them yet.  :-)
[Bryen M Yunashko in opensuse-project]