This patch adds several missing capabilities to the utils/
severity.db file as detected by the newly added make check target,
along with corresponding severity levels that I believe :re appropriate
(discussion welcome):
CAP_MAC_ADMIN 10
CAP_MAC_OVERRIDE 10
CAP_SETFCAP 9
CAP_SYSLOG 8
CAP_WAKE_ALARM 8
The latter two are undocumented in the capabilities(7) man page
provided in Ubuntu 12.04; the syslog one is the separation out of
accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM
allows setting alarms that would wake a system from a suspended state,
if my reading is correct.
This also fixes a trailing whitespace on CAP_CHOWN, moves
CAP_DAC_READ_SEARCH to the end of the section of capabilities it's
in due to its lower priority level (7).
---
utils/severity.db | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
Index: b/utils/severity.db
===================================================================
--- a/utils/severity.db
+++ b/utils/severity.db
@@ -14,9 +14,12 @@
CAP_SYS_MODULE 10
CAP_SYS_PTRACE 10
CAP_SYS_RAWIO 10
+ CAP_MAC_ADMIN 10
+ CAP_MAC_OVERRIDE 10
# Allow other processes to 0wn the machine:
CAP_SETPCAP 9
- CAP_CHOWN 9
+ CAP_SETFCAP 9
+ CAP_CHOWN 9
CAP_FSETID 9
CAP_MKNOD 9
CAP_LINUX_IMMUTABLE 9
@@ -38,9 +41,11 @@
CAP_LEASE 8
CAP_IPC_LOCK 8
CAP_SYS_TTY_CONFIG 8
- CAP_DAC_READ_SEARCH 7
CAP_AUDIT_CONTROL 8
CAP_AUDIT_WRITE 8
+ CAP_SYSLOG 8
+ CAP_WAKE_ALARM 8
+ CAP_DAC_READ_SEARCH 7
# unused
CAP_NET_BROADCAST 0
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
