[apparmor] [patch] fix "unknown capability: CAP_whatever" in aa-logprof

Steve Beattie steve at nxnw.org
Thu Nov 13 23:15:41 UTC 2014 

On Thu, Nov 13, 2014 at 09:00:35PM +0100, Christian Boltz wrote:
> Hello,
> 
> when aa-logprof asks for a capability, you'll see something like
> 
>     WARN: unknown capability: CAP_block_suspend
> 
>     Profile:    /bin/foo
>     Capability: block_suspend
>     Severity:   unknown
> 
> The reason for the warning and "Severity: unknown" is that severity.db 
> contains the capability names in uppercase, but ask_the_question() calls 
> sev_db.rank with the capability in lowercase.
> 
> This patch converts the "CAP_$capability" string to uppercase before 
> doing the lookup.
> 
> 
> === modified file 'utils/apparmor/severity.py'
> --- utils/apparmor/severity.py  2014-11-06 20:37:02 +0000
> +++ utils/apparmor/severity.py  2014-11-13 19:55:45 +0000
> @@ -77,8 +77,9 @@
>  
>      def handle_capability(self, resource):
>          """Returns the severity of for the capability resource, default value if no match"""
> -        if resource in self.severity['CAPABILITIES'].keys():
> -            return self.severity['CAPABILITIES'][resource]
> +        cap = resource.upper()
> +        if cap in self.severity['CAPABILITIES'].keys():
> +            return self.severity['CAPABILITIES'][cap]
>          # raise ValueError("unexpected capability rank input: %s"%resource)
>          warn("unknown capability: %s" % resource)
>          return self.severity['DEFAULT_RANK']

Acked-by: Steve Beattie <steve at nxnw.org>, so long as the following patch is
committed at the same time:
---
 utils/test/test-severity.py |    3 +++
 1 file changed, 3 insertions(+)

Index: b/utils/test/test-severity.py
===================================================================
--- a/utils/test/test-severity.py
+++ b/utils/test/test-severity.py
@@ -68,6 +68,9 @@ class SeverityTest(SeverityBaseTest):
     def test_cap_setpcap(self):
         self._simple_severity_test('CAP_SETPCAP', 9)
 
+    def test_cap_setpcap_lowercase(self):
+        self._simple_severity_test('CAP_setpcap', 9)
+
     def test_cap_unknown_1(self):
         self._simple_severity_test('CAP_UNKNOWN', 10)
 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141113/09e136e8/attachment.pgp>

More information about the AppArmor mailing list