parse: add backmapping capability information

Some capabilities like perfmon and bpf have been split out from another capability, likely cap sys_admin. Add this backmapping infomation so that the parser can take advantage of it to support policy on older kernels that don't support the new capabilities. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 22:35:35 +00:00 · 2020-07-02 03:01:25 -07:00
parent fb9c5f9bcf
commit 168b141cc2
3 changed files with 78 additions and 52 deletions
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -286,15 +286,15 @@ af_names.h: ../common/list_af_names.sh
 	# cat $@

 generated_cap_names.h: /usr/include/linux/capability.h
-	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1, NO_BACKMAP_CAP\},\\n/pg" > $@

 cap_names.h: generated_cap_names.h base_cap_names.h
-	@ diff -u base_cap_names.h generated_cap_names.h | grep '^\+[^+]' ; \
+	@sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP}/g' base_cap_names.h | diff -u - generated_cap_names.h | grep '^\+[^+]' ; \
 	if [ $$? -eq 1 ] ; then \
 		cp base_cap_names.h $@ ; \
 	else \
 		echo "Error: new capabilities detected please update base_cap_names.h with values from generated_cap_names.h" ; \
-		diff -u base_cap_names.h generated_cap_names.h ; \
+		sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP}/g' base_cap_names.h | diff -u - generated_cap_names.h ; \
 		exit 1; \
 	fi

--- a/parser/base_cap_names.h
+++ b/parser/base_cap_names.h
@@ -1,80 +1,80 @@
-{"audit_control", CAP_AUDIT_CONTROL},
+{"audit_control", CAP_AUDIT_CONTROL, NO_BACKMAP_CAP},

-{"audit_read", CAP_AUDIT_READ},
+{"audit_read", CAP_AUDIT_READ, NO_BACKMAP_CAP},

-{"audit_write", CAP_AUDIT_WRITE},
+{"audit_write", CAP_AUDIT_WRITE, NO_BACKMAP_CAP},

-{"block_suspend", CAP_BLOCK_SUSPEND},
+{"block_suspend", CAP_BLOCK_SUSPEND, NO_BACKMAP_CAP},

-{"bpf", CAP_BPF},
+{"bpf", CAP_BPF, CAP_SYS_ADMIN},

-{"chown", CAP_CHOWN},
+{"chown", CAP_CHOWN, NO_BACKMAP_CAP},

-{"dac_override", CAP_DAC_OVERRIDE},
+{"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP},

-{"dac_read_search", CAP_DAC_READ_SEARCH},
+{"dac_read_search", CAP_DAC_READ_SEARCH, NO_BACKMAP_CAP},

-{"fowner", CAP_FOWNER},
+{"fowner", CAP_FOWNER, NO_BACKMAP_CAP},

-{"fsetid", CAP_FSETID},
+{"fsetid", CAP_FSETID, NO_BACKMAP_CAP},

-{"ipc_lock", CAP_IPC_LOCK},
+{"ipc_lock", CAP_IPC_LOCK, NO_BACKMAP_CAP},

-{"ipc_owner", CAP_IPC_OWNER},
+{"ipc_owner", CAP_IPC_OWNER, NO_BACKMAP_CAP},

-{"kill", CAP_KILL},
+{"kill", CAP_KILL, NO_BACKMAP_CAP},

-{"lease", CAP_LEASE},
+{"lease", CAP_LEASE, NO_BACKMAP_CAP},

-{"linux_immutable", CAP_LINUX_IMMUTABLE},
+{"linux_immutable", CAP_LINUX_IMMUTABLE, NO_BACKMAP_CAP},

-{"mac_admin", CAP_MAC_ADMIN},
+{"mac_admin", CAP_MAC_ADMIN, NO_BACKMAP_CAP},

-{"mac_override", CAP_MAC_OVERRIDE},
+{"mac_override", CAP_MAC_OVERRIDE, NO_BACKMAP_CAP},

-{"mknod", CAP_MKNOD},
+{"mknod", CAP_MKNOD, NO_BACKMAP_CAP},

-{"net_admin", CAP_NET_ADMIN},
+{"net_admin", CAP_NET_ADMIN, NO_BACKMAP_CAP},

-{"net_bind_service", CAP_NET_BIND_SERVICE},
+{"net_bind_service", CAP_NET_BIND_SERVICE, NO_BACKMAP_CAP},

-{"net_broadcast", CAP_NET_BROADCAST},
+{"net_broadcast", CAP_NET_BROADCAST, NO_BACKMAP_CAP},

-{"net_raw", CAP_NET_RAW},
+{"net_raw", CAP_NET_RAW, NO_BACKMAP_CAP},

-{"perfmon", CAP_PERFMON},
+{"perfmon", CAP_PERFMON, CAP_SYS_ADMIN},

-{"setfcap", CAP_SETFCAP},
+{"setfcap", CAP_SETFCAP, NO_BACKMAP_CAP},

-{"setgid", CAP_SETGID},
+{"setgid", CAP_SETGID, NO_BACKMAP_CAP},

-{"setpcap", CAP_SETPCAP},
+{"setpcap", CAP_SETPCAP, NO_BACKMAP_CAP},

-{"setuid", CAP_SETUID},
+{"setuid", CAP_SETUID, NO_BACKMAP_CAP},

-{"syslog", CAP_SYSLOG},
+{"syslog", CAP_SYSLOG, NO_BACKMAP_CAP},

-{"sys_admin", CAP_SYS_ADMIN},
+{"sys_admin", CAP_SYS_ADMIN, NO_BACKMAP_CAP},

-{"sys_boot", CAP_SYS_BOOT},
+{"sys_boot", CAP_SYS_BOOT, NO_BACKMAP_CAP},

-{"sys_chroot", CAP_SYS_CHROOT},
+{"sys_chroot", CAP_SYS_CHROOT, NO_BACKMAP_CAP},

-{"sys_module", CAP_SYS_MODULE},
+{"sys_module", CAP_SYS_MODULE, NO_BACKMAP_CAP},

-{"sys_nice", CAP_SYS_NICE},
+{"sys_nice", CAP_SYS_NICE, NO_BACKMAP_CAP},

-{"sys_pacct", CAP_SYS_PACCT},
+{"sys_pacct", CAP_SYS_PACCT, NO_BACKMAP_CAP},

-{"sys_ptrace", CAP_SYS_PTRACE},
+{"sys_ptrace", CAP_SYS_PTRACE, NO_BACKMAP_CAP},

-{"sys_rawio", CAP_SYS_RAWIO},
+{"sys_rawio", CAP_SYS_RAWIO, NO_BACKMAP_CAP},

-{"sys_resource", CAP_SYS_RESOURCE},
+{"sys_resource", CAP_SYS_RESOURCE, NO_BACKMAP_CAP},

-{"sys_time", CAP_SYS_TIME},
+{"sys_time", CAP_SYS_TIME, NO_BACKMAP_CAP},

-{"sys_tty_config", CAP_SYS_TTY_CONFIG},
+{"sys_tty_config", CAP_SYS_TTY_CONFIG, NO_BACKMAP_CAP},

-{"wake_alarm", CAP_WAKE_ALARM},
+{"wake_alarm", CAP_WAKE_ALARM, NO_BACKMAP_CAP},

--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -165,6 +165,8 @@ static int get_table_token(const char *name unused, struct keyword_table *table,
 	return -1;
 }

+#define NO_BACKMAP_CAP 0xff
+
 #ifndef CAP_PERFMON
 #define CAP_PERFMON 38
 #endif
@@ -173,14 +175,38 @@ static int get_table_token(const char *name unused, struct keyword_table *table,
 #define CAP_BPF 39
 #endif

-static struct keyword_table capability_table[] = {
+struct capability_table {
+	const char *cap;
+	unsigned int token;
+	unsigned int backmap;
+};
+
+static struct capability_table base_capability_table[] = {
 	/* capabilities */
 	#include "cap_names.h"

 	/* terminate */
-	{NULL, 0}
+	{NULL, 0, 0}
 };

+static int get_cap_token(const char *name unused, struct capability_table *table,
+			 const char *cap)
+{
+	int i;
+
+	for (i = 0; table[i].cap; i++) {
+		PDEBUG("Checking %s %s\n", name, table[i].cap);
+		if (strcmp(cap, table[i].cap) == 0) {
+			PDEBUG("Found %s %s\n", name, table[i].cap);
+			return table[i].token;
+		}
+	}
+
+	PDEBUG("Unable to find %s %s\n", name, cap);
+	return -1;
+}
+
+
 /* for alpha matches, check for keywords */
 int get_keyword_token(const char *keyword)
 {
@@ -189,7 +215,7 @@ int get_keyword_token(const char *keyword)

 int name_to_capability(const char *keyword)
 {
-	return get_table_token("capability", capability_table, keyword);
+	return get_cap_token("capability", base_capability_table, keyword);
 }

 int get_rlimit(const char *name)
@@ -844,9 +870,9 @@ const char *capability_to_name(unsigned int cap)
 {
 	int i;

-	for (i = 0; capability_table[i].keyword; i++) {
-		if (capability_table[i].token == cap)
-			return capability_table[i].keyword;
+	for (i = 0; base_capability_table[i].cap; i++) {
+		if (base_capability_table[i].token == cap)
+			return base_capability_table[i].cap;
 	}

 	return "invalid-capability";
@@ -858,9 +884,9 @@ void __debug_capabilities(uint64_t capset, const char *name)

 	printf("%s:", name);

-	for (i = 0; capability_table[i].keyword; i++) {
-		if ((1ull << capability_table[i].token) & capset)
-			printf (" %s", capability_table[i].keyword);
+	for (i = 0; base_capability_table[i].cap; i++) {
+		if ((1ull << base_capability_table[i].token) & capset)
+			printf (" %s", base_capability_table[i].cap);
 	}
 	printf("\n");
 }