mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 07:15:18 +00:00
Code Issues Releases Wiki Activity

CapabilityRule: Add list of known capabilities

Browse Source 
... and add a test to ensure that the list is/stays complete.
This commit is contained in:
Christian Boltz
2023-10-29 21:28:13 +01:00
parent 57ba373213
commit 5c34655f4a
2 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
utils/apparmor/rule/capability.py
View File

@@ -22,6 +22,15 @@ from apparmor.translations import init_translation
_ = init_translation() _ = init_translation()
capability_keywords = [
'audit_control', 'audit_read', 'audit_write', 'block_suspend', 'bpf', 'checkpoint_restore',
'chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'ipc_lock', 'ipc_owner',
'kill', 'lease', 'linux_immutable', 'mac_admin', 'mac_override', 'mknod', 'net_admin',
'net_bind_service', 'net_broadcast', 'net_raw', 'perfmon', 'setfcap', 'setgid', 'setpcap',
'setuid', 'syslog', 'sys_admin', 'sys_boot', 'sys_chroot', 'sys_module', 'sys_nice',
'sys_pacct', 'sys_ptrace', 'sys_rawio', 'sys_resource', 'sys_time', 'sys_tty_config',
'wake_alarm']
class CapabilityRule(BaseRule): class CapabilityRule(BaseRule):
"""Class to handle and store a single capability rule""" """Class to handle and store a single capability rule"""

25
utils/test/test-capability.py
View File

@@ -16,15 +16,36 @@
import unittest import unittest
import apparmor.severity as severity import apparmor.severity as severity
from apparmor.common import AppArmorBug, AppArmorException, hasher from apparmor.common import AppArmorBug, AppArmorException, cmd, hasher
from apparmor.logparser import ReadLog from apparmor.logparser import ReadLog
from apparmor.rule.capability import CapabilityRule, CapabilityRuleset from apparmor.rule.capability import CapabilityRule, CapabilityRuleset, capability_keywords
from apparmor.translations import init_translation from apparmor.translations import init_translation
from common_test import AATest, setup_all_loops from common_test import AATest, setup_all_loops
_ = init_translation() _ = init_translation()
# --- check if the keyword list is up to date --- #
class CapabilityKeywordsTest(AATest):
def test_capability_keyword_list(self):
rc, output = cmd('../../common/list_capabilities.sh')
self.assertEqual(rc, 0)
cap_list = output.replace('CAP_', '').strip().lower().split('\n')
missing_caps = []
for keyword in cap_list:
if keyword not in capability_keywords:
# keywords missing in the system are ok (= older kernel), but cap_list needs to have the full list
missing_caps.append(keyword)
self.assertEqual(
missing_caps, [],
'Missing capabilities in CapabilityRule capabilities list. This test is likely running '
'on an newer kernel and will require updating the list of capability keywords in '
'utils/apparmor/rule/capability.py')
# --- tests for single CapabilityRule --- # # --- tests for single CapabilityRule --- #
class CapabilityTest(AATest): class CapabilityTest(AATest):