[apparmor] [patch] Re: genprof shows strange severity for CAP_SYSLOG

Fri Mar 16 07:49:39 UTC 2012

[Breaking the threading here intentionally to make this message
 more visible.]

On Sun, Mar 04, 2012 at 03:19:46PM +0100, Christian Boltz wrote:
> Capability: syslog
> Severity:   unexpected capability rank input: CAP_SYSLOG

This is emitted because the syslog capability is missing from the
severity.db. A patch to address this follows...

This patch adds several missing capabilities to the utils/ severity.db
file, along with corresponding severity levels that I believe :re
appropriate (discussion welcome):

  CAP_MAC_ADMIN 10
  CAP_MAC_OVERRIDE 10
  CAP_SETFCAP 9
  CAP_SYSLOG 8
  CAP_WAKE_ALARM 8

The latter two are undocumented in the capabilities(7) man page provided
in Ubuntu 12.04; the syslog one is the separation out of accessing the
dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM allows setting
alarms that would wake a system from a suspended state, if my reading is
correct.

It also adds a new make target, check_severity_db, which parses out the
set of capabilities from /usr/include/linux/capability.h, greps the
severity.db for the presence of the capability, and issues a build time
warning if it does not find it. I could be convinced to turn this into
an error, if it's believed the warnings won't be noticed.

I also fixed a trailing whitespace on CAP_CHOWN, moved
CAP_DAC_READ_SEARCH to the end of the section of capabilities it's in
due to its lower priority level (7). I also silenced the check targets,
so that only the output from them will be emitted.

---
 utils/Makefile    |   13 ++++++++++++-
 utils/severity.db |    9 +++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

Index: b/utils/Makefile
===================================================================

--- a/utils/Makefile
+++ b/utils/Makefile
@@ -68,7 +68,18 @@ clean: _clean
 	rm -f Make.rules
 	$(MAKE) -C po clean
 
-check:
+.PHONY: check_severity_db
+.SILENT: check_severity_db
+check_severity_db: /usr/include/sys/capability.h severity.db
+	# The sed statement is based on the one in the parser's makefil
+	for cap in $$(LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\\UCAP_\\1/p" /usr/include/linux/capability.h) ; do \
+	    grep -q -w $${cap} severity.db || \
+		echo "Warning! cap $${cap} not found in severity.db" ; \
+	done
+
+.PHONY: check
+.SILENT: check
+check: check_severity_db
 	for i in ${MODULES} ${PERLTOOLS} ; do \
 		perl -c $$i || exit 1; \
 	done
Index: b/utils/severity.db
===================================================================
--- a/utils/severity.db
+++ b/utils/severity.db
@@ -14,9 +14,12 @@
        CAP_SYS_MODULE 10
        CAP_SYS_PTRACE 10
        CAP_SYS_RAWIO 10
+       CAP_MAC_ADMIN 10
+       CAP_MAC_OVERRIDE 10
 # Allow other processes to 0wn the machine:
        CAP_SETPCAP 9
-       CAP_CHOWN 9 
+       CAP_SETFCAP 9
+       CAP_CHOWN 9
        CAP_FSETID 9
        CAP_MKNOD 9
        CAP_LINUX_IMMUTABLE 9
@@ -38,9 +41,11 @@
        CAP_LEASE 8
        CAP_IPC_LOCK 8
        CAP_SYS_TTY_CONFIG 8
-       CAP_DAC_READ_SEARCH 7
        CAP_AUDIT_CONTROL 8
        CAP_AUDIT_WRITE 8
+       CAP_SYSLOG 8
+       CAP_WAKE_ALARM 8
+       CAP_DAC_READ_SEARCH 7
 # unused
        CAP_NET_BROADCAST 0
 


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120316/546c6c03/attachment.pgp>
