[apparmor] [patch 4/6] add missing capabilities to severity.db
John Johansen
john.johansen at canonical.com
Thu Mar 22 18:47:44 UTC 2012
On 03/22/2012 10:06 AM, Steve Beattie wrote:
> This patch adds several missing capabilities to the utils/
> severity.db file as detected by the newly added make check target,
> along with corresponding severity levels that I believe :re appropriate
> (discussion welcome):
>
> CAP_MAC_ADMIN 10
> CAP_MAC_OVERRIDE 10
> CAP_SETFCAP 9
> CAP_SYSLOG 8
> CAP_WAKE_ALARM 8
>
> The latter two are undocumented in the capabilities(7) man page
> provided in Ubuntu 12.04; the syslog one is the separation out of
> accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM
> allows setting alarms that would wake a system from a suspended state,
> if my reading is correct.
>
> This also fixes a trailing whitespace on CAP_CHOWN, moves
> CAP_DAC_READ_SEARCH to the end of the section of capabilities it's
> in due to its lower priority level (7).
>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> utils/severity.db | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> Index: b/utils/severity.db
> ===================================================================
> --- a/utils/severity.db
> +++ b/utils/severity.db
> @@ -14,9 +14,12 @@
> CAP_SYS_MODULE 10
> CAP_SYS_PTRACE 10
> CAP_SYS_RAWIO 10
> + CAP_MAC_ADMIN 10
> + CAP_MAC_OVERRIDE 10
> # Allow other processes to 0wn the machine:
> CAP_SETPCAP 9
> - CAP_CHOWN 9
> + CAP_SETFCAP 9
> + CAP_CHOWN 9
> CAP_FSETID 9
> CAP_MKNOD 9
> CAP_LINUX_IMMUTABLE 9
> @@ -38,9 +41,11 @@
> CAP_LEASE 8
> CAP_IPC_LOCK 8
> CAP_SYS_TTY_CONFIG 8
> - CAP_DAC_READ_SEARCH 7
> CAP_AUDIT_CONTROL 8
> CAP_AUDIT_WRITE 8
> + CAP_SYSLOG 8
> + CAP_WAKE_ALARM 8
> + CAP_DAC_READ_SEARCH 7
> # unused
> CAP_NET_BROADCAST 0
>
>
>
> -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
More information about the AppArmor
mailing list