mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-03 15:55:46 +00:00
Code Issues Releases Wiki Activity

Add debugging reporting for the other capability entry types (audit,

Browse Source 
deny).
This commit is contained in:
Steve Beattie
2010-01-07 15:48:14 -08:00
parent 8304b7db87
commit 09ced81ee5
2 changed files with 167 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
parser/parser_misc.c
View File

@@ -847,13 +847,18 @@ void debug_capabilities(struct codomain *cod)
{ {
if (cod->capabilities != 0ull) if (cod->capabilities != 0ull)
__debug_capabilities(cod->capabilities, "Capabilities"); __debug_capabilities(cod->capabilities, "Capabilities");
if (cod->audit_caps != 0ull)
__debug_capabilities(cod->audit_caps, "Audit Caps");
if (cod->deny_caps != 0ull)
__debug_capabilities(cod->deny_caps, "Deny Caps");
if (cod->quiet_caps != 0ull)
__debug_capabilities(cod->quiet_caps, "Quiet Caps");
if (cod->set_caps != 0ull) if (cod->set_caps != 0ull)
__debug_capabilities(cod->set_caps, "Set Capabilities"); __debug_capabilities(cod->set_caps, "Set Capabilities");
} }
void debug_cod_list(struct codomain *cod) void debug_cod_list(struct codomain *cod)
{ {
unsigned int i;
if (cod->namespace) if (cod->namespace)
printf("Namespace:\t\t%s\n", cod->namespace); printf("Namespace:\t\t%s\n", cod->namespace);

161
parser/tst/simple_tests/capability/ok2.sd Normal file
View File

@@ -0,0 +1,161 @@
#
# $Id$
#=DESCRIPTION validate some uses of capabilties.
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist {
audit capability chown,
audit capability dac_override,
audit capability dac_read_search,
audit capability fowner,
audit capability fsetid,
audit capability kill,
audit capability setgid,
audit capability setuid,
audit capability setpcap,
audit capability linux_immutable,
audit capability net_bind_service,
audit capability net_broadcast,
audit capability net_admin,
audit capability net_raw,
audit capability ipc_lock,
audit capability ipc_owner,
audit capability sys_module,
audit capability sys_rawio,
audit capability sys_chroot,
audit capability sys_ptrace,
audit capability sys_pacct,
audit capability sys_admin,
audit capability sys_boot,
audit capability sys_nice,
audit capability sys_resource,
audit capability sys_time,
audit capability sys_tty_config,
audit capability mknod,
audit capability lease,
audit capability audit_write,
audit capability audit_control,
audit capability setfcap,
audit capability mac_override,
}
/does/not/exist2 {
^chown {
deny capability chown,
}
^dac_override {
deny capability dac_override,
}
^dac_read_search {
deny capability dac_read_search,
}
^fowner {
deny capability fowner,
}
^fsetid {
deny capability fsetid,
}
^kill {
deny capability kill,
}
^setgid {
deny capability setgid,
}
^setuid {
deny capability setuid,
}
^setpcap {
deny capability setpcap,
}
^linux_immutable {
deny capability linux_immutable,
}
^net_bind_service {
deny capability net_bind_service,
}
^net_broadcast {
deny capability net_broadcast,
}
^net_admin {
deny capability net_admin,
}
^net_raw {
deny capability net_raw,
}
^ipc_lock {
deny capability ipc_lock,
}
^ipc_owner {
deny capability ipc_owner,
}
^sys_module {
deny capability sys_module,
}
^sys_rawio {
deny capability sys_rawio,
}
^sys_chroot {
deny capability sys_chroot,
}
^sys_ptrace {
deny capability sys_ptrace,
}
^sys_pacct {
deny capability sys_pacct,
}
^sys_admin {
deny capability sys_admin,
}
^sys_boot {
deny capability sys_boot,
}
^sys_nice {
deny capability sys_nice,
}
^sys_resource {
deny capability sys_resource,
}
^sys_time {
deny capability sys_time,
}
^sys_tty_config {
deny capability sys_tty_config,
}
^mknod {
deny capability mknod,
}
^lease {
deny capability lease,
}
^audit_write {
deny capability audit_write,
}
^audit_control {
deny capability audit_control,
}
}
# Test for duplicates?
/does/not/exist3 {
capability mknod,
audit capability mknod,
deny capability mknod,
audit capability mknod,
deny capability mknod,
capability mknod,
}
/does/not/exit101 {
capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
}
/does/not/exit102 {
audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
}