CapabilityRule: Add list of known capabilities

... and add a test to ensure that the list is/stays complete.
2025-09-02 07:15:18 +00:00 · 2023-10-29 21:28:13 +01:00
parent 57ba373213
commit 5c34655f4a
2 changed files with 32 additions and 2 deletions
--- a/utils/apparmor/rule/capability.py
+++ b/utils/apparmor/rule/capability.py
@@ -22,6 +22,15 @@ from apparmor.translations import init_translation

 _ = init_translation()

+capability_keywords = [
+    'audit_control', 'audit_read', 'audit_write', 'block_suspend', 'bpf', 'checkpoint_restore',
+    'chown', 'dac_override', 'dac_read_search', 'fowner', 'fsetid', 'ipc_lock', 'ipc_owner',
+    'kill', 'lease', 'linux_immutable', 'mac_admin', 'mac_override', 'mknod', 'net_admin',
+    'net_bind_service', 'net_broadcast', 'net_raw', 'perfmon', 'setfcap', 'setgid', 'setpcap',
+    'setuid', 'syslog', 'sys_admin', 'sys_boot', 'sys_chroot', 'sys_module', 'sys_nice',
+    'sys_pacct', 'sys_ptrace', 'sys_rawio', 'sys_resource', 'sys_time', 'sys_tty_config',
+    'wake_alarm']
+

 class CapabilityRule(BaseRule):
    """Class to handle and store a single capability rule"""
--- a/utils/test/test-capability.py
+++ b/utils/test/test-capability.py
@@ -16,15 +16,36 @@
 import unittest

 import apparmor.severity as severity
-from apparmor.common import AppArmorBug, AppArmorException, hasher
+from apparmor.common import AppArmorBug, AppArmorException, cmd, hasher
 from apparmor.logparser import ReadLog
-from apparmor.rule.capability import CapabilityRule, CapabilityRuleset
+from apparmor.rule.capability import CapabilityRule, CapabilityRuleset, capability_keywords
 from apparmor.translations import init_translation
 from common_test import AATest, setup_all_loops

 _ = init_translation()


+# --- check if the keyword list is up to date --- #
+
+class CapabilityKeywordsTest(AATest):
+    def test_capability_keyword_list(self):
+        rc, output = cmd('../../common/list_capabilities.sh')
+        self.assertEqual(rc, 0)
+
+        cap_list = output.replace('CAP_', '').strip().lower().split('\n')
+
+        missing_caps = []
+        for keyword in cap_list:
+            if keyword not in capability_keywords:
+                # keywords missing in the system are ok (= older kernel), but cap_list needs to have the full list
+                missing_caps.append(keyword)
+
+        self.assertEqual(
+            missing_caps, [],
+            'Missing capabilities in CapabilityRule capabilities list. This test is likely running '
+            'on an newer kernel and will require updating the list of capability keywords in '
+            'utils/apparmor/rule/capability.py')
+
 # --- tests for single CapabilityRule --- #

 class CapabilityTest(AATest):