[apparmor] CAP_BLOCK_SUSPEND / nscd profile
John Johansen
john.johansen at canonical.com
Mon Dec 17 08:50:57 UTC 2012
On 12/16/2012 08:35 AM, Christian Boltz wrote:
> Hello,
>
> just noticed this while running logprof on my factory installation:
>
> Profile: /usr/sbin/nscd
> Capability: block_suspend
> Severity: unexpected capability rank input: CAP_BLOCK_SUSPEND
>
> The severity.db in trunk already contains CAP_BLOCK_SUSPEND 8, and I
> propose to backport it to the 2.8 branch:
sure,
Acked-by: John Johansen <john.johansen at canonical.com>
>
> === modified file 'utils/severity.db' === 2.8 branch ===
> --- utils/severity.db 2012-03-22 20:24:12 +0000
> +++ utils/severity.db 2012-12-16 16:29:21 +0000
> @@ -45,6 +45,7 @@
> CAP_AUDIT_WRITE 8
> CAP_SYSLOG 8
> CAP_WAKE_ALARM 8
> + CAP_BLOCK_SUSPEND 8
> CAP_DAC_READ_SEARCH 7
> # unused
> CAP_NET_BROADCAST 0
>
>
> I also propose the following patch for the nscd profile: (even if I
> wonder why nscd might want to block suspend):
>
> === modified file 'profiles/apparmor.d/usr.sbin.nscd'
> --- profiles/apparmor.d/usr.sbin.nscd 2011-08-23 22:57:42 +0000
> +++ profiles/apparmor.d/usr.sbin.nscd 2012-12-16 16:20:40 +0000
> @@ -16,6 +16,7 @@
> #include <abstractions/nameservice>
> #include <abstractions/ssl_certs>
>
> + capability block_suspend,
> capability net_bind_service,
> capability setgid,
> capability setuid,
>
> The question if we should do this only for trunk or also for the 2.8
> branch is a bit tricky because it depends on the kernel version and
> unfortunately the parser seems to bail out with "Invalid capability" if
> the kernel doesn't support it :-( (tested with "capability foo" ;-)
>
right, this is a bit of a pain but something we need to work on fixing
and I can see bringing the patch back to 2.8. We actually have an open
bug about this
I was thinking of a hybrid approach of a static table + the current
dynamic generation + the kernel module better exporting what it supports
More information about the AppArmor
mailing list