This patch adds several missing capabilities to the utils/ severity.db file as detected by the newly added make check target, along with corresponding severity levels that I believe :re appropriate (discussion welcome):
CAP_MAC_ADMIN 10 CAP_MAC_OVERRIDE 10 CAP_SETFCAP 9 CAP_SYSLOG 8 CAP_WAKE_ALARM 8 The latter two are undocumented in the capabilities(7) man page provided in Ubuntu 12.04; the syslog one is the separation out of accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM allows setting alarms that would wake a system from a suspended state, if my reading is correct. This also fixes a trailing whitespace on CAP_CHOWN, moves CAP_DAC_READ_SEARCH to the end of the section of capabilities it's in due to its lower priority level (7). --- utils/severity.db | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) Index: b/utils/severity.db =================================================================== --- a/utils/severity.db +++ b/utils/severity.db @@ -14,9 +14,12 @@ CAP_SYS_MODULE 10 CAP_SYS_PTRACE 10 CAP_SYS_RAWIO 10 + CAP_MAC_ADMIN 10 + CAP_MAC_OVERRIDE 10 # Allow other processes to 0wn the machine: CAP_SETPCAP 9 - CAP_CHOWN 9 + CAP_SETFCAP 9 + CAP_CHOWN 9 CAP_FSETID 9 CAP_MKNOD 9 CAP_LINUX_IMMUTABLE 9 @@ -38,9 +41,11 @@ CAP_LEASE 8 CAP_IPC_LOCK 8 CAP_SYS_TTY_CONFIG 8 - CAP_DAC_READ_SEARCH 7 CAP_AUDIT_CONTROL 8 CAP_AUDIT_WRITE 8 + CAP_SYSLOG 8 + CAP_WAKE_ALARM 8 + CAP_DAC_READ_SEARCH 7 # unused CAP_NET_BROADCAST 0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor