parser: add a set of flags to the capability tables

We need a set of flags to track where a capability can from so we know how to processes it for policy compatibility purposes. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-09-03 07:45:50 +00:00 · 2020-07-02 06:37:39 -07:00
parent 8a1260db47
commit 48974e552c
3 changed files with 50 additions and 47 deletions
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -286,15 +286,15 @@ af_names.h: ../common/list_af_names.sh
 	# cat $@
 generated_cap_names.h: /usr/include/linux/capability.h
-	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1, NO_BACKMAP_CAP\},\\n/pg" > $@
+	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE\},\\n/pg" > $@
 cap_names.h: generated_cap_names.h base_cap_names.h
-	@sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP}/g' base_cap_names.h | diff -u - generated_cap_names.h | grep '^\+[^+]' ; \
+	@sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h | grep '^\+[^+]' ; \
 	if [ $$? -eq 1 ] ; then \
 		cp base_cap_names.h $@ ; \
 	else \
 		echo "Error: new capabilities detected please update base_cap_names.h with values from generated_cap_names.h" ; \
-		sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP}/g' base_cap_names.h | diff -u - generated_cap_names.h ; \
+		sed -e 's/CAP_[A-Z0-9_]\+}/NO_BACKMAP_CAP,/g' base_cap_names.h | diff -u - generated_cap_names.h ; \
 		exit 1; \
 	fi
--- a/parser/base_cap_names.h
+++ b/parser/base_cap_names.h
@@ -1,80 +1,80 @@
-{"audit_control", CAP_AUDIT_CONTROL, NO_BACKMAP_CAP},
+{"audit_control", CAP_AUDIT_CONTROL, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"audit_read", CAP_AUDIT_READ, NO_BACKMAP_CAP},
+{"audit_read", CAP_AUDIT_READ, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"audit_write", CAP_AUDIT_WRITE, NO_BACKMAP_CAP},
+{"audit_write", CAP_AUDIT_WRITE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"block_suspend", CAP_BLOCK_SUSPEND, NO_BACKMAP_CAP},
+{"block_suspend", CAP_BLOCK_SUSPEND, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"bpf", CAP_BPF, CAP_SYS_ADMIN},
+{"bpf", CAP_BPF, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
-{"chown", CAP_CHOWN, NO_BACKMAP_CAP},
+{"chown", CAP_CHOWN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP},
+{"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"dac_read_search", CAP_DAC_READ_SEARCH, NO_BACKMAP_CAP},
+{"dac_read_search", CAP_DAC_READ_SEARCH, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"fowner", CAP_FOWNER, NO_BACKMAP_CAP},
+{"fowner", CAP_FOWNER, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"fsetid", CAP_FSETID, NO_BACKMAP_CAP},
+{"fsetid", CAP_FSETID, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"ipc_lock", CAP_IPC_LOCK, NO_BACKMAP_CAP},
+{"ipc_lock", CAP_IPC_LOCK, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"ipc_owner", CAP_IPC_OWNER, NO_BACKMAP_CAP},
+{"ipc_owner", CAP_IPC_OWNER, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"kill", CAP_KILL, NO_BACKMAP_CAP},
+{"kill", CAP_KILL, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"lease", CAP_LEASE, NO_BACKMAP_CAP},
+{"lease", CAP_LEASE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"linux_immutable", CAP_LINUX_IMMUTABLE, NO_BACKMAP_CAP},
+{"linux_immutable", CAP_LINUX_IMMUTABLE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"mac_admin", CAP_MAC_ADMIN, NO_BACKMAP_CAP},
+{"mac_admin", CAP_MAC_ADMIN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"mac_override", CAP_MAC_OVERRIDE, NO_BACKMAP_CAP},
+{"mac_override", CAP_MAC_OVERRIDE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"mknod", CAP_MKNOD, NO_BACKMAP_CAP},
+{"mknod", CAP_MKNOD, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"net_admin", CAP_NET_ADMIN, NO_BACKMAP_CAP},
+{"net_admin", CAP_NET_ADMIN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"net_bind_service", CAP_NET_BIND_SERVICE, NO_BACKMAP_CAP},
+{"net_bind_service", CAP_NET_BIND_SERVICE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"net_broadcast", CAP_NET_BROADCAST, NO_BACKMAP_CAP},
+{"net_broadcast", CAP_NET_BROADCAST, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"net_raw", CAP_NET_RAW, NO_BACKMAP_CAP},
+{"net_raw", CAP_NET_RAW, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"perfmon", CAP_PERFMON, CAP_SYS_ADMIN},
+{"perfmon", CAP_PERFMON, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE},
-{"setfcap", CAP_SETFCAP, NO_BACKMAP_CAP},
+{"setfcap", CAP_SETFCAP, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"setgid", CAP_SETGID, NO_BACKMAP_CAP},
+{"setgid", CAP_SETGID, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"setpcap", CAP_SETPCAP, NO_BACKMAP_CAP},
+{"setpcap", CAP_SETPCAP, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"setuid", CAP_SETUID, NO_BACKMAP_CAP},
+{"setuid", CAP_SETUID, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"syslog", CAP_SYSLOG, NO_BACKMAP_CAP},
+{"syslog", CAP_SYSLOG, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_admin", CAP_SYS_ADMIN, NO_BACKMAP_CAP},
+{"sys_admin", CAP_SYS_ADMIN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_boot", CAP_SYS_BOOT, NO_BACKMAP_CAP},
+{"sys_boot", CAP_SYS_BOOT, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_chroot", CAP_SYS_CHROOT, NO_BACKMAP_CAP},
+{"sys_chroot", CAP_SYS_CHROOT, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_module", CAP_SYS_MODULE, NO_BACKMAP_CAP},
+{"sys_module", CAP_SYS_MODULE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_nice", CAP_SYS_NICE, NO_BACKMAP_CAP},
+{"sys_nice", CAP_SYS_NICE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_pacct", CAP_SYS_PACCT, NO_BACKMAP_CAP},
+{"sys_pacct", CAP_SYS_PACCT, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_ptrace", CAP_SYS_PTRACE, NO_BACKMAP_CAP},
+{"sys_ptrace", CAP_SYS_PTRACE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_rawio", CAP_SYS_RAWIO, NO_BACKMAP_CAP},
+{"sys_rawio", CAP_SYS_RAWIO, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_resource", CAP_SYS_RESOURCE, NO_BACKMAP_CAP},
+{"sys_resource", CAP_SYS_RESOURCE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_time", CAP_SYS_TIME, NO_BACKMAP_CAP},
+{"sys_time", CAP_SYS_TIME, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"sys_tty_config", CAP_SYS_TTY_CONFIG, NO_BACKMAP_CAP},
+{"sys_tty_config", CAP_SYS_TTY_CONFIG, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
-{"wake_alarm", CAP_WAKE_ALARM, NO_BACKMAP_CAP},
+{"wake_alarm", CAP_WAKE_ALARM, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE},
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -188,15 +188,18 @@ int get_rlimit(const char *name)
 #endif
 typedef enum capability_flags {
-	CAP_KERNEL_FEATURE = 1,
+	CAPFLAGS_CLEAR = 0,
-	CAP_POLICY_FEATURE = 2,
+	CAPFLAG_BASE_FEATURE = 1,
-	CAP_EXTERNAL_FEATURE = 4,
+	CAPFLAG_KERNEL_FEATURE = 2,
 	CAPFLAG_POLICY_FEATURE = 4,
 	CAPFLAG_EXTERNAL_FEATURE = 8,
 } capability_flags;
 struct capability_table {
 	const char *cap;
 	unsigned int token;
 	unsigned int backmap;
 	capability_flags flags;
 };
 static struct capability_table base_capability_table[] = {
@@ -204,7 +207,7 @@ static struct capability_table base_capability_table[] = {
 	#include "cap_names.h"
 	/* terminate */
-	{NULL, 0, 0}
+	{NULL, 0, 0, CAPFLAGS_CLEAR}
 };
 static int get_cap_token(const char *name unused, struct capability_table *table,